PASSporTs used with STIR/SHAKEN

STIR/SHAKEN uses PASSporTs to carry information about caller identity. There are different types of PASSporTs, and it can be confusing to keep it straight. Here’s a simple overview.

What is a PASSporT?

PASSporT is sort of an acronym for Personal ASSertion Token. It’s sometimes called an Identity token. It contains the information that STIR/SHAKEN needs for authentication and verification of calls.

PASSporTs are formatted as JSON Web Tokens. JSON is an acronym for JavaScript Object Notation. As you can see, standards drive everything in this technology.

PASSporTs contain a header, payload, and signature. The header defines the type of PASSporT. The payload includes the claims, or identity information for a call. The signature is generated using asymmetric cryptographic techniques.

Here’s an example of a base PASSporT:

{
  “typ”:”passport”,
  “alg”:”ES256”,
  “x5u”:”https://cert.example.org/passport.cer”
}
{
  “dest”:{“uri”:[“sip:alice@example.com”]},
  “iat”:1443208345,
  “orig”:{“tn”:”12155551212”}
}

The first bracketed set of information is the header, which is used to understand the PASSporT information, including the type, the algorithm used for cryptography, and x5u, which gives the URI for the certificated needed to validate the signature.

The second part is the payload, which contains the information about this call. These claims include the destination identifier, the issued-at timestamp, and the origination identifier.

PASSporTs used with STIR/SHAKEN

PASSporT extensions

The base PASSporT requires the bare-minimum set of claims needed to securely identify the call originator.

PASSporT extensions can be defined to standardize other claims that are required in addition to the base PASSporT.

SHAKEN

A SHAKEN PASSporT is similar to the base PASSporT, but includes a few additional requirements:

  • The orig and dest claims in the payload must be telephone numbers
  • There must be a payload claim for attestation. Values can be:
    1. Full attestation
    2. Partial attestation
    3. Gateway attestation
  • There must be a claim in the payload for orig ID, a globally-unique string that helps with traceback.

Rich Call Data

Rich Call Data (RCD) provides a way to send additional information about the caller in the PASSporT, including caller name, logo image, a text field for call reason, and many others.

Currently, RCD can be sent in either a base or SHAKEN PASSporT. There is an IETF draft for an RCD PASSporT extension. The only new requirement is that the PASSporT payload must include a claim for the caller name.

The draft standards describe ways to link additional external information and sign it with integrity checks.

Delegation

Delegation is used to describe techniques to extend the trusted framework in customer-of-customer scenarios. Perhaps the originating service provider doesn’t know whether the end user placing the call is a legitimate user of the asserted calling number, but their customer does. Delegate certificates extend the trusted relationship, and a delegation PASSporT extension would standardize the information needed in these scenarios.

There is an IETF draft for a delegation PASSporT extension. In addition to the base PASSporT requirements, delegation PASSporTs would:

  • Include TNAuthList to indicate the scope of delegation.
  • Provide the entire certification path in the x5u link.

TransNexus solutions

We offer STIR/SHAKEN and robocall prevention solutions in our ClearIP and NexOSS software platforms. Contact us today to learn more about these solutions.

Request info about our products and services

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.