Thank you reply, so any bad actor can't use as example with self sign certificates ? So digital signature must be produced from well known authorized CA certificate key pair ?

Can you point on one of the well know CA authority which authorized for SHAKEN/STIR.


On Tue, Dec 3, 2019 at 06:56, Liviu Chircu <> wrote:
On 03.12.2019 03:59, volga629 via Users wrote:
If call from originator is being replaced by middle with same source and destination and change Identity header with keys and certificate location is possible that terminator will authorize it ?
Hi Volga,

Yes, it is perfectly possible to rebuild the Identity header and re-attribute the asserted source/destination to yourself. In order to do this, you only need to own an officially recognized STIR/SHAKEN X509 cert along with its private key, issued by
 a STIR/SHAKEN certification authority.

So, while this is possible, I don't see why anyone in their right mind would do it. Doing so would jeopardize the image of the carrier, putting their business at risk. It's similar to how public IP routing in the internet works: any ISP could MITM any
 piece of traffic, yet none do.  Or do they? :)

Best regards,

Liviu Chircu
OpenSIPS Developer <>

Users mailing list

Reply via email to