[OpenSIPS-Users] stir shaken (2).

Brett Nemeroff brett at nemeroff.com
Fri Apr 21 12:20:02 UTC 2023


On the inbound side, a carrier would perform the STI-VS (verification
service) to derive the attestation from the passport and handle the call
according to local policy. An intermediate carrier can't really "reattest"
the call because being an intermediate,they likely can't attest to the
validity of the end user. As STIR/SHAKEN stands today, the identity header
doesn't do much other than provide a place to "point the finger" when a
caller is being TRACEDback. That's a huge step forward from where we've
been, but it really doesn't do much for name or number presentation
(today).

I'm not aware of a 302 script out there, but you didn't really specify if
you want to be the redirect server or if you want to consume the 302 from
another service. If you haven't seen it yet, the "self-signed" stir/shaken
post is a great walkthrough on how to set it up. It's worth a go to
understand the pieces. However, know that there are no carriers that will
accept self-signed certificates. To make this work in the wild, you will
need a certificate from a STI-CA.

https://blog.opensips.org/2022/10/31/how-to-generate-self-signed-stir-shaken-certificates/


-Brett





On Fri, Apr 21, 2023 at 4:01 AM johan <johan at democon.be> wrote:

> 1. In the case that you are intermediate provider and the call comes in
> with identity header, can you then juste USE the identity coming in or
> do you need to reattest.
>
> 2. is there somewhere a mini script.cfg which is doing stir/shaken magic
> with 302 redirect ?
>
>
> wkr,
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230421/d9e3d187/attachment.html>


More information about the Users mailing list