OSTN Compliance Specification

General Requirements

  • MUST require verifiable encryption of all signaling data
    • SHOULD utilize TLSv1 or higher for the SIP signaling channel
    • SHOULD utilize a Root Certificate Authority that has a trusted status&
  • MUST allow encryption of Real-time Transport Protocol (RTP) media stream
    • MUST support proxying of encrypted media streams
    • MUST support unmodified proxying of ZRTP encrypted 
    • MUST support voice calling
    • MAY support video calling
  • MUST run in as secured server environment as possible
    • SHOULD utilize full disk encryption
    • SHOULD run on a known secure operating system with current patches of all software
    • SHOULD utilize an intrusion detection capability
  • MUST provide either simple extensions or name user identifiers
    • MAY support use of existing device telephone numbers as identifiers
    • MAY support use of existing handles/usernames as identifier and callerid
  • MUST operate in a privacy preserving manner towards user data
    • MUST NOT require real name, cell phone number or other personally identifying information
    • MUST anonymize or remove all system logs
    • MUST NOT log any persistent IP address data
    • MUST notify the user when the server is compromised or otherwise put into a state that could cause them risk or harm
  • MAY provide additional telephony services, so long as they are not privacy reducing
    • MAY provide voicemail service, with encrypted storage and valid client certificate
    • MAY provide SIP-based messaging using the OTR protocol

Also available in: PDF HTML TXT