Archive for the ‘VoIP’ Category

New rev of SIP-SAML profile

Tuesday, November 4th, 2008

There’s a new revision of the SIP-SAML profile spec..

SIP SAML Profile and Binding

The key changes in this revision are that we’re aiming for experimental track (for now) due to a subtle-but-important impedance mismatch with the “SIP Identity” spec (RFC 4474, which we build upon), and we’ve add an additional profile to the spec. This new profile simply specifies SAML assertion conveyance “by value” in the body of SIP message(s) rather than “by reference”.

Note that the overall notion of “SIP Identity” has been in-flux over the last year+. Once that set of issues is (hopefully) resolved, then we can do another SIP-SAML spec on the standards track.

Also, the SIP WG co-chairs have called for Working Group Last Call on this -05 revision.

=JeffH sez getcher comments in!

A plug for Gizmo

Thursday, October 5th, 2006

So there’s this bit of software called Gizmo that’s pretty cool, available from It’s a SIP (Session Initiation Protocol) -based “softphone” widget, err.. gizmo, that allows one to make voice calls on the Internet, like VoIP, duh.

Anyway, obvious to anyone who’s paid a lick of attention the past few years, this competes with Skype. Since the Skype folk got a head start in this here land-grab internet property era we’re in, seems many of my colleagues have a skype account, but not many have a Gizmo one. So I’m posting this here to encourage folks to give Gizmo a try. Of course it offers all the features of Skype, and more (much larger concall size is one obvious feature bennie). And it is open-standards-based, as compared to Skype, which is so ridiculously proprietary they even went to enormous lengths to obfuscate their executable code, apparently in order to try stymie reverse-engineering (as I’d written about previously). So anyway, since I favor open-standards-based systems, and work in designing them (eg LDAP, SAML, ID-WSF, and now the SIP-world), I wish more folks would try Gizmo.

The only substantial complaint I’ve heard wrt Gizmo is that it can only register with Gizmo’s own SIP proxy server farms. Well, with the relatively recent version 2.x, this is remedied, and a Gizmo client can register with both the Gizmo proxies, and with any generic (and typically free, in the economic sense) SIP proxy you wish, eg, and, your own open-source Asterisk SIP server at home, or your company’s SIP server.

JeffH sez check it out.

ps: Of course, I’m also very supportive of open source SIP clients — I just haven’t had the time to check them out yet. There are some, though, so take a looksee here, or google for ’em. I’ll have to try some of them out and write about them. There’s also so-called “SIP hardphones” — I just got a SNOM 320 on my desk, and am exploring it. So far it’s pretty cool — although I can’t easily haul it around with me.

Report on security risks of applying CALEA to VoIP

Wednesday, June 14th, 2006

A report on the security risks of applying CALEA to VoIP is available on the website. To quote the site:

A new ITAA study by Internet gurus Vint Cerf, Whit Diffie and other experts warns that extending CALEA wiretap measures to Voice over Internet Protocol communications could stall innovation and introduce major security problems.

One of the report’s authors, Susan Landau, announced the report via this message to Dave Farber‘s Interesting-People mailing list.

SIP-based VoIP client/softphone for PalmOS (e.g. Treo)

Tuesday, May 16th, 2006

see: mobiVoIP

Unfortunately, the beta is oversubscribed. But they do have a “forums” site, so one can “look over the shoulders” of the guinea pigs 😉

Skype.exe innards revealed…

Thursday, April 6th, 2006

This slide deck, from the recent Black Hat Europe 2006 conference..

..provides an intriguing look inside the Skype executable, revealing the fairly great lengths its creators went to in attempting to obfuscate its code and workings. Also dissected are the ciphering techniques applied to Skype PDUs (protocol data units, aka packets). The deck illustrates creatively effective use of various debugging/disassembling tools. Icing on the proverbial cake are their some-assembly-required instructions for how to patch skype.exe for use in creating your own closed, private P2P network :)

This work adds to the body of openly disseminated information about this very closed P2P network and program. For reference, here are two earlier analyses..

Observing and Analyzing the Intersection of Privacy, Security, and Public Policy

Saturday, March 11th, 2006

My colleague and friend, Susan Landau, works (in one of her multi-facets) at the intersection of privacy, security, and public policy. I find it a good idea to keep up on what she’s writing in these areas. She doesn’t (yet?) have a blog per-se, but watching the publications section of her homepage works pretty well — hence there being a link to her page in my sidebar here. She has a couple of recent articles on the multi-faceted topic of the Internet/VoIP and wiretapping/CALEA that are interesting and provocative…