Brett Nemeroff brett at nemeroff.com
Tue Dec 3 08:51:51 EST 2019

I’d also like to point out that in doing so, the identity would change. So
if a MITM reissues the identity signature, they can only say it’s them now.
So if the traffic isn’t legitimate, they are basically saying “This is me”.
Which I think is the underlying reason why it’s very unlikely that a bad
actor in the middle would ever want to do something like this.

I’m not sure how a self signed signature would be treated in the larger
STIR/SHAKEN implementations (I’d assume it’d be treated as
non-authoritative), but like I said, this would be the bad actor rewriting
the identity to say it’s them, or someone else rather than the actual
identity. If they aren’t a valid identity, they are basically no-one.

On Tue, Dec 3, 2019 at 7:43 AM volga629 via Users <users at lists.opensips.org>

> Thank you reply, so any bad actor can't use as example with self sign
> certificates ?   So digital signature must be produced from well known
> authorized CA certificate key pair ?
> Can you point on one of the well know CA authority which authorized for
> volga629
> On Tue, Dec 3, 2019 at 06:56, Liviu Chircu <liviu at opensips.org> wrote:
> On 03.12.2019 03:59, volga629 via Users wrote:
> If call from originator is being replaced by middle with same source and
> destination and change Identity  header with keys and certificate location
> is possible that terminator will authorize it ?
> Hi Volga,
> Yes, it is perfectly possible to rebuild the Identity header and
> re-attribute the
> asserted source/destination to yourself.  In order to do this, you only
> need to own
> an officially recognized STIR/SHAKEN X509 cert along with its private key,
> issued by
> a STIR/SHAKEN certification authority.
> So, while this is possible, I don't see why anyone in their right mind
> would do it.
> Doing so would jeopardize the image of the carrier, putting their business
> at risk.
> It's similar to how public IP routing in the internet works:  any ISP
> could MITM any
> piece of traffic, yet none do.  Or do they? :)
> Best regards,
> --
> Liviu Chircu
> OpenSIPS Developerhttp://www.opensips-solutions.com
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20191203/cd9353ce/attachment.html>

More information about the Users mailing list