Re: Vonage complains about VoIP-blocking

["Steven M. Bellovin" <smb () cs columbia edu>]

In message <Pine.GSO.4.58.0502152015130.16931 () clifden donelan com>, Sean Donela
n writes:
> On Tue, 15 Feb 2005, Hannigan, Martin wrote:
> > > Unfortunately, TFTP is the only protocol that many phone vendors
> > > implement -- and VoIP operators aren't happy about it.  Some
> > > vendors have
> > > started implementing HTTP(S), but it's far from common at this point.
> >
> > Wouldn't there be a fee to utilize https?
>
> Only if you like giving $995 to Verisign for fancy SSL certificates.
>
> Most https phones can use locally issued X.509 certificates for the
> download. Some use a manufacturer issued root certificates if you
> want to get fancy and use code signing, etc.
>
> Not the same problem as Microsoft Internet Explorer trusting every
> root certificate in its cache.  IP phones usually have a very short
> certificate trust list in the phone.
Precisely.  You not only don't need a Verisign cert for this, you don't 
want one.  The phone should trust the authorized operator, which bears 
no relationship to an identity that Verisign (or whomever) attests to.  

The really interesting question, to me, is how to let users provision 
their phones to talk to the operator of their choice.  The simplest 
solution is probably something like a SIM; it would contain the 
customer subscription data and the operator's CA certificate.  
Switching providers would be as simple as switching SIMs.  (Of course, 
that assumes that this time we can avoid SIM-locking nonsense....)

                --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb