volga629 at networklab.ca volga629 at networklab.ca
Tue Dec 3 08:39:30 EST 2019

Thank you reply, so any bad actor can't use as example with self sign 
certificates ?   So digital signature must be produced from well known 
authorized CA certificate key pair ?

Can you point on one of the well know CA authority which authorized for 


On Tue, Dec 3, 2019 at 06:56, Liviu Chircu <liviu at opensips.org> wrote:
> On 03.12.2019 03:59, volga629 via Users wrote:
>> If call from originator is being replaced by middle with same source 
>> and destination and change Identity  header with keys and 
>> certificate location is possible that terminator will authorize it ?
> Hi Volga,
> Yes, it is perfectly possible to rebuild the Identity header and 
> re-attribute the
>  asserted source/destination to yourself.  In order to do this, you 
> only need to own
>  an officially recognized STIR/SHAKEN X509 cert along with its 
> private key, issued by
>  a STIR/SHAKEN certification authority.
> So, while this is possible, I don't see why anyone in their right 
> mind would do it.
>  Doing so would jeopardize the image of the carrier, putting their 
> business at risk.
>  It's similar to how public IP routing in the internet works:  any 
> ISP could MITM any
>  piece of traffic, yet none do.  Or do they? :)
> Best regards,
> --
> Liviu Chircu
> OpenSIPS Developer
> http://www.opensips-solutions.com <http://www.opensips-solutions.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20191203/b036850e/attachment.html>

More information about the Users mailing list