I'm confused by this article for a couple of reasons:<p>- There is ZRTP, SRTP, SIP over TLS and many proprietary systems. Why add yet another one?<p>- Right now, adding a new extensions to what providers offer is extremely tricky - unless you have a massive number of customers who support / want it. Basically it's easier to add a new VPN connection on top of all the traffic to some site, rather than adding support for feature X (especially if your infrastructure is a mix&match of many solutions)<p>- I don't know the amount of standard trapezoid-type SIP connections on the internet these days - but I assume it's very low. If you have a local server with some serious usage, it will be a PBX and not a proxy. If it's a VPBX provider on the internet, it's most probably a PBX not a proxy. This (for many reasons) means that any encoding you can get is only between you and the provider. There, you lose the control over what's happening.<p>- "Identity" in SIP networks is a completely different concept than email "identity". Calling a sip uri, you might end up on a sip client, pstn phone, voicemail, redirection to someone else, or any crazy automated service you can imagine. I don't see this being addressed in the article. With user-controlled e.164 directory you may end up on someone's door intercom for all you know.<p>In reality my recommendation is - You want your call secure? Use your own network only. - You want your PSTN call secure? Forget about it - any serious provider is expected by local laws to provide means for wiretapping, so your call will have to be decoded. The best thing you can do is vpn/tls to your provider. Basically I disagree that the phone call security is something that can be solved by adding features to sip, rtp or other protocols...
I find the whole idea about calculating a hash from the shared key and then speaking it over the phone to verify that there isn't a MITM taking place very interesting.<p>Redphone for Android does this as well apparently but I've not tested it yet because it's US only - <a href="http://www.whispersys.com/" rel="nofollow">http://www.whispersys.com/</a>