[asterisk-users] Stir-Shaken clarified
Saint Michael
venefax at gmail.com
Fri May 29 05:36:42 CDT 2020
https://wiki.asterisk.org/wiki/display/AST/STIR+and+SHAKEN
The Wiki above is misleading in what Stir-Shaken means and how it works.
End users cannot get a certificate, they cannot self-certify their calls.
Somebody completely misunderstood the model. I am afraid the moment will
come and thousands of Asterisk operators will be unable to terminate calls.
To start with, the model is a hierarchical one: there is an FCC
designated central authority, which appoints (so far two) Certification
Authorities, allowed to issue Certificates for Service Providers ONLY,
which themselves are ALSO pre-approved by then GA (Governance Authority),
and they need to have an OCN, they need to be a CLEC, have their own block
of numbers. So the idea that an Asterisk operator can have its own
certificate and somehow calculate the signature, is ridiculous. Once the
call arrives a the last mile, let's say VZ or ATT, the carrier will open
the signature added to each call and verify it with the Certification
Authority that issued the certificate. They will check if the caller-ID and
destination number match the actual call. Each signature is valid only for
60 seconds and each call has a different signature, even for the same
caller-ID and destination number, so it cannot be stored.
As you can see, this is a new world and we need to prepare for its arrival,
or our calls will simply fail and we shall be out of business. My company
is an approved Service Provider and we are waiting for the certificate,
which is in itself complicated paperwork.
Our model to solve this riddle for Asterisk is simple: Add a
res_odbc.so-connection pointed to our MySQL database. Create a func_odbc
function that executes our stored procedure. For each call, you send us the
pair Caller-ID and Destination number, and we send you back the signature.
In the next line in the dialplan, you add a SIP-header called Identity, and
our signature becomes the content.
Identity:
eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwicHB0Ijoic2hha2VuIiwieDV1IjoiaHR0cHM6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxOTU0NDQ0NzQwOCJdfSwiaWF0IjoxNTkwNjcyNDc2LCJvcmlnIjp7InRuIjoiMjE1OTE0MDQyMSJ9LCJvcmlnaWQiOiIxMjNlNDU2Ny1lODliLTEyZDMtYTQ1Ni00MjY2NTU0NDAwMDAifQ.X7noevZGawXv1Jw1wkaqunTMFVE9FLt7sEX1QSgk0GMJmAHJWnbF5PCdj-Mc7UD2JY_5xvuJU3UlhSvswfK7SQ;info=<
https://cert.example.org/passport.cer>;alg="ES256";ppt="shaken"
With two lines of code in the dialplan, you solve the FCC requirements.
BUT, the caller-ID must be either verifiable associated with the company
that owns Asterisk, or we can supply one for you, from our pool of numbers.
Wireless numbers are not allowed. We check each and call return an error if
the conditions are not met. What happens if you send a random but valid
caller-ID? We still sign it, BUT, with Attestation level "C", which means
we don't know anything about the caller-ID. At some point, carriers will
decline to terminate those calls. It is up to them to terminate or not
those calls.
So what I am doing for the Asterisk community is helping everybody to stay
in business. If you delay the interconnection with me and pretend it is not
urgent, you will end-up in the fauces of XXXXnexus, which acts double as a
Certification Authority and Service Provider and charges huge fees. I mean
HUGE.
This wiki should be erased, for it is misleading:
> https://wiki.asterisk.org/wiki/display/AST/STIR+and+SHAKEN
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200529/afec56c6/attachment.html>
More information about the asterisk-users
mailing list