Skype to address identification concerns

Skype plans to address the concerns of some IT managers by improving its identity authentication process.

Part of Skype's "wish list" for further expansion into the business market is to create policy-driven username authentication for business customers, the voice-over-IP pioneer revealed on Wednesday.

"There's a lot of leverage space in the identity segment," Kurt Sauer, chief security officer for Skype, told ZDNet UK.

One security concern for IT managers is that while Skype uses an encrypted public key infrastructure, it automatically authenticates users itself. This means that users cannot authenticate the identity of the people they are communicating with.

"Skype is a public key infrastructure, which means nothing if you don't know who you are identifying at the other end," said Sauer.

The company is researching ways users can authenticate each other, including looking at ring of trust models, where a certification authority (CA) establishes the identity of users. Once user identity has been established, the user is added to the ring of trust by being issued with a certificate from the CA.

Skype is also doing research into anonymous bidding models, where users are identified as anonymous players, and use scores and ratings from other players to establish trust, according to Sauer.

The company on Wednesday admitted identity authentication was a problem for Skype, but denied it was a security issue.

"Identity authentication is more of a usability problem," Michael Jackson, director of operations for Skype, told ZDNet UK. "[Skype] is not usable for a 10,000 user deployment at the moment. This something we can build in."

Skype will attempt to address these concerns by allowing companies policy-driven addition and deletion of usernames, for employees joining and leaving departments.

"If you have 200 people per department, managers want them to be automatically added on when they join, and taken off when they leave. It's these kinds of features that will appeal to larger businesses," said Jackson.

"We want functionality to be enabled or disabled on a policy basis, so Skype users can use [Skype] without invalidating business policy," Sauer added.

Skype is also researching single sign-on authentication, and is looking to integrate this into lightweight directory access protocol (LDAP) interoperability between Skype and unnamed third party software.

"If you have one single namespace, there's an opportunity there [for Skype] to leverage that space by integrating third party LDAP, which has been built into some large identity management systems in large enterprises," said Sauer.

Skype is setting its sights on larger enterprises, while continuing to focus on the consumer market. At the moment, Skype is not suitable for use in big businesses, according to Jackson.

"As we move up the quality ladder, appealing to 500-plus employee enterprises is essential. We want a tool you can use at home, take to work, and not violate policy," said Jackson. "Our product is not suitable for a trading environment at the moment, but then there are rather few companies listening to their employees' conversations every day."

"One instant messaging company wanted to put Skype on a trading floor, and we said to them, 'This is probably not the right product for you'," Sauer said.