Skype hopes ID measures will win business users

Skype plans to address the security concerns of some IT managers by improving its identity authentication process.

Part of Skype's "wish list" for further expansion into the business market is to create policy-driven username authentication for business customers, the voice over IP pioneer revealed on Wednesday.

Kurt Sauer, chief security officer for Skype, told silicon.com sister site ZDNet UK: "There's a lot of leverage space in the identity segment."

One security concern for IT managers is that while Skype uses an encrypted public key infrastructure, it automatically authenticates users itself. This means that users cannot authenticate the identity of the people they are communicating with.

Sauer said: "Skype is a public key infrastructure, which means nothing if you don't know who you are identifying at the other end."

The company is researching ways users can authenticate each other, including looking at ring of trust models, where a certification authority (CA) establishes the identity of users. Once user identity has been established, the user is added to the ring of trust by being issued with a certificate from the CA.

Skype is also doing research into anonymous bidding models, where users are identified as anonymous players, and use scores and ratings from other players to establish trust, according to Sauer.

The company on Wednesday admitted identity authentication was a problem for Skype but denied it was a security issue.

Michael Jackson, director of operations for Skype, said: "Identity authentication is more of a usability problem. Skype is not usable for a 10,000-user deployment at the moment. This is something we can build in."

Skype will attempt to address these concerns by allowing companies policy-driven addition and deletion of usernames, for employees joining and leaving departments.

Jackson said: "If you have 200 people per department, managers want them to be automatically added on when they join, and taken off when they leave. It's these kinds of features that will appeal to larger businesses."

Sauer added: "We want functionality to be enabled or disabled on a policy basis, so Skype users can use Skype without invalidating business policy."

Skype is also researching single sign-on authentication, and is looking to integrate this into lightweight directory access protocol (LDAP) interoperability between Skype and unnamed third party software.

Sauer said: "If you have one single namespace, there's an opportunity there [for Skype] to leverage that space by integrating third party LDAP, which has been built into some large identity management systems in large enterprises."

Skype is setting its sights on larger enterprises, while continuing to focus on the consumer market. At the moment, Skype is not suitable for use in big businesses, according to Jackson.

He said: "As we move up the quality ladder, appealing to 500-plus employee enterprises is essential. We want a tool you can use at home, take to work, and not violate policy. Our product is not suitable for a trading environment at the moment but then there are rather few companies listening to their employees' conversations every day."

Sauer added: "One instant messaging company wanted to put Skype on a trading floor, and we said to them: 'This is probably not the right product for you'."

Tom Espiner writes for ZDNet UK