OSTN Compliance Specification

From Guardian Project Wiki

General Requirements

• MUST require verifiable encryption of all signaling data
  • SHOULD utilize SSLv2/3 for the SIP signaling channel
  • SHOULD utilize a Root Certificate Authority that has a trusted status
    
• MUST allow encryption of Real-time Transport Protocol (RTP) media stream
  • MUST support proxying of media streams
  • MUST support unmodified proxying of ZRTP encrypted 
  • MUST support voice calling
  • MAY support video calling
    
• MUST run in as secured server environment as possible
  • SHOULD utilize full disk encryption
  • SHOULD run on a locked down instance of a known secure operating system
  • SHOULD utilize an intrusion detection capability
    
• MUST provide either simple extensions or friendly name user identifiers
  • MAY support use of existing device telephone numbers as identifiers
  • MAY support use of existing handles/usernames as identifier and callerid
    
• MUST operate in a privacy preserving manner towards user data
  • MUST NOT require real name or other personally identifying information
  • MUST anonymous or remove all system logs, and only use logs for diagnostics
  • MUST notify the user when the server is compromised or otherwise put into a state that could cause them risk or harm
    
• MAY provide additional telephony services, so long as they are not privacy reducing
  • MAY provide voicemail service, though it should be stored in an encrypted manner
  • MAY provide SIP-based messaging through it should be done via the OTR protocol