I’d also like to point out that in doing so, the identity would change. So if a MITM reissues the identity signature, they can only say it’s them now. So if the traffic isn’t legitimate, they are basically saying “This is me”. Which I think is the underlying reason why it’s very unlikely that a bad actor in the middle would ever want to do something like this.
I’m not sure how a self signed signature would be treated in the larger STIR/SHAKEN implementations (I’d assume it’d be treated as non-authoritative), but like I said, this would be the bad actor rewriting the identity to say it’s them, or someone else rather than the actual identity. If they aren’t a valid identity, they are basically no-one. On Tue, Dec 3, 2019 at 7:43 AM volga629 via Users <users@lists.opensips.org> wrote: > Thank you reply, so any bad actor can't use as example with self sign > certificates ? So digital signature must be produced from well known > authorized CA certificate key pair ? > > Can you point on one of the well know CA authority which authorized for > SHAKEN/STIR. > > volga629 > > > > On Tue, Dec 3, 2019 at 06:56, Liviu Chircu <li...@opensips.org> wrote: > > On 03.12.2019 03:59, volga629 via Users wrote: > > If call from originator is being replaced by middle with same source and > destination and change Identity header with keys and certificate location > is possible that terminator will authorize it ? > > Hi Volga, > > Yes, it is perfectly possible to rebuild the Identity header and > re-attribute the > asserted source/destination to yourself. In order to do this, you only > need to own > an officially recognized STIR/SHAKEN X509 cert along with its private key, > issued by > a STIR/SHAKEN certification authority. > > So, while this is possible, I don't see why anyone in their right mind > would do it. > Doing so would jeopardize the image of the carrier, putting their business > at risk. > It's similar to how public IP routing in the internet works: any ISP > could MITM any > piece of traffic, yet none do. Or do they? :) > > Best regards, > > -- > Liviu Chircu > OpenSIPS Developerhttp://www.opensips-solutions.com > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users