Yeti Switch

Appearance

STIR/SHAKEN

Yeti-Switch is compatible with STIR/SHAKEN mechanisms and allows you to perform both Identity validation and signing. The Yeti system does not require any external components to perform these operations.

Signature Validation

Signature validation logic is controlled by Customers Auth STIR/SHAKEN settings. Depending on the configuration, Yeti may take different actions if the signature is missing or invalid.

The validation procedure requires a public key certificate to perform the cryptographic signature check. This certificate is retrieved from a public repository according to the info parameter of the incoming Identity header.

During signature validation, Yeti performs the following steps:

  • Check if Identity header parameter info is same as Identity JWT header x5u
  • Check if the public certificate repository URL from the info parameter and x5u JWT header is allowed by Trusted repository configuration
  • Retrieve the public certificate from the repository URL or from the internal cache
  • Verify that the public certificate is valid and not expired
  • Ensure that the certificate chain is linked to a trusted root certificate defined in Trusted certificates configuration
  • Validate the JWT signature
  • Check the iat (issued-at) timestamp for expiration
  • Confirm that the orig.tn and dest.tn attributes in theIdentity header match the Source and Destination numbers present in SIP signaling

The results of signature validation are stored in the CDR fields: Lega Ss Status and Lega Identity.

Signing

When sending a call to the termination gateway, Yeti can either:

  • pass the original Identity header as-is,
  • remove it,
  • generate and attach its own signature.

This behavior is controlled by Termination gateway STIR/SHAKEN settings

To perform signing, a private certificate and key material are required. These are defined in Signing Certificates configuration.

Yeti supports multiple signing certificates, and you can choose which certificate will be used for signing in Termination gateway STIR/SHAKEN settings. Additionally, it is possible to override the certificate in Customers Auth STIR/SHAKEN settings, allowing different certificates to be used for different call originators (customers).