<div><div dir="auto">I’d also like to point out that in doing so, the identity would change. So if a MITM reissues the identity signature, they can only say it’s them now. So if the traffic isn’t legitimate, they are basically saying “This is me”. Which I think is the underlying reason why it’s very unlikely that a bad actor in the middle would ever want to do something like this. </div><div dir="auto"><br></div><div dir="auto">I’m not sure how a self signed signature would be treated in the larger STIR/SHAKEN implementations (I’d assume it’d be treated as non-authoritative), but like I said, this would be the bad actor rewriting the identity to say it’s them, or someone else rather than the actual identity. If they aren’t a valid identity, they are basically no-one. </div><div dir="auto"><br></div><div dir="auto"><br></div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 3, 2019 at 7:43 AM volga629 via Users <<a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div id="m_1815347580016817908geary-body" dir="auto"><div>Thank you reply, so any bad actor can't use as example with self sign certificates ? So digital signature must be produced from well known authorized CA certificate key pair ?</div><div><br></div><div>Can you point on one of the well know CA authority which authorized for SHAKEN/STIR.</div></div><div id="m_1815347580016817908geary-body" dir="auto"><div><br></div><div>volga629 </div><div><br></div><div><br></div></div><div id="m_1815347580016817908geary-quote" dir="auto"><br>On Tue, Dec 3, 2019 at 06:56, Liviu Chircu <<a href="mailto:liviu@opensips.org" target="_blank">liviu@opensips.org</a>> wrote:<br><blockquote type="cite">
<div>On 03.12.2019 03:59, volga629 via Users
wrote:<br>
</div>
<blockquote type="cite">
<div id="m_1815347580016817908geary-body" dir="auto">
<div><span style="font-variant-ligatures:normal"><span style="font-variant-ligatures:normal;background-color:rgb(255,255,255)">If call from
originator is being replaced by middle with same source
and destination and change Identity header with keys and
certificate location is possible that terminator will
authorize it ?</span></span></div>
</div>
</blockquote>
<p><tt style="font-family:monospace">Hi Volga,</tt></p>
<p><tt style="font-family:monospace">Yes, it is perfectly possible to rebuild the Identity header
and re-attribute the<br>
asserted source/destination to yourself. In order to do this,
you only need to own<br>
an officially recognized STIR/SHAKEN X509 cert along with its
private key, issued by<br>
a STIR/SHAKEN certification authority.</tt></p>
<p><tt style="font-family:monospace">So, while this is possible, I don't see why anyone in their
right mind would do it.<br>
Doing so would jeopardize the image of the carrier, putting
their business at risk.<br>
It's similar to how public IP routing in the internet works:
any ISP could MITM any<br>
piece of traffic, yet none do. Or do they? :)</tt></p>
<p><tt style="font-family:monospace">Best regards,<br>
</tt></p>
<pre cols="72" style="font-family:monospace">--
Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com" target="_blank" style="font-family:monospace">http://www.opensips-solutions.com</a></pre>
</blockquote></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div></div>