[zokier]

I feel the fundamental problem is the idea of phone number being secret or private in the first place. It is just very weak form of access control, I believe we can do much better these days.

[jstummbillig]

How so?

[CaptainOfCoit]

Besides being trivial to enumerate, every service and their mother is asking for a phone number, from physical stores/rentals/hotels who sometimes reject you if you say no, to the countless online services either asking for it or requiring it. I must have given away my phone number to hundreds if not thousands of entities after having it for more than 20 years.

[jstummbillig]

I was interested in how we could do much better, but I should have been more specific.

[zokier]

Incoming calls should be subject to acls and default-deny policy should be practical. This means that

- caller identity should not be spoofable

- identities should form hierarchies and groups so you can allow whole organizations instead of individuals

- organizations should use predictable identities for egress calls

- most likely managing multiple identities per device is needed (e.g. personal and work identites)

etc

None of this is particularly difficult technically. Even simply slapping x509 certs on calls and having some basic filtering would achieve a lot.

[CaptainOfCoit]

> None of this is particularly difficult technically. Even simply slapping x509 certs on calls and having some basic filtering would achieve a lot.

Slapping x509 certs on probably some of the oldest telecommunications infrastructure in the world (both in terms of devices using it, and devices enabling it) wouldn't be "technically difficult"?

But I've never worked in telecommunications, maybe I'm overestimating how large piece of work this would be.

[zokier]

Relative to the effort that has been poured to volte etc and 3g/4g/5g in general.

[jstummbillig]

> maybe I'm overestimating

Probably not.