[Freeswitch-users] ZRTP SAS to non ZRTP call leg UA?

[Travis Cross]

On 2014-03-16 21:52, Bill Ross wrote:
> Trouble is trust. Us techhies have it, but end users have no basis. Would
> still like to do this and, also add a UA to display /speak other call leg
> SAS on demand.

The trouble with this in practice is that it requires users to have an
excellent understanding of the security parameters.  The non-ZRTP leg
user must understand that the SAS does nothing to enhance the security
of his call leg.  The entire exercise is to enhance the security of
the other call leg.

It's something of a perversion of the SAS as it's not being generated
by the client device.  Or rather, you have to treat the PBX as the
client device, and the non-ZRTP UA as simply a terminal to that actual
client.

You also have to be careful about training users to accept an SAS
presented in an insecure place like the Caller ID field or via an
automated read-back.  Attackers can trivially exploit user comfort
with that behavior.

The script is there because Phil wanted to use it.  But Phil may be
the only person I would trust to use this sort of thing regularly
without getting confused about the awkward security situation.