PASSporTs used with STIR/SHAKEN
STIR/SHAKEN uses PASSporTs to carry information about caller identity. There are different types of PASSporTs, and it can be confusing to keep it straight. Here’s a simple overview.
What is a PASSporT?
PASSporT is sort of an acronym for Personal ASSertion Token. It’s sometimes called an Identity token. It contains the information that STIR/SHAKEN needs for authentication and verification of calls.
PASSporTs contain a header, payload, and signature. The header defines the type of PASSporT. The payload includes the claims, or identity information for a call. The signature is generated using asymmetric cryptographic techniques.
Here’s an example of a base PASSporT:
The first bracketed set of information is the header, which is used to understand the PASSporT information, including the type, the algorithm used for cryptography, and x5u, which gives the URI for the certificated needed to validate the signature.
The second part is the payload, which contains the information about this call. These claims include the destination identifier, the issued-at timestamp, and the origination identifier.
The base PASSporT requires the bare-minimum set of claims needed to securely identify the call originator.
PASSporT extensions can be defined to standardize other claims that are required in addition to the base PASSporT.
A SHAKEN PASSporT is similar to the base PASSporT, but includes a few additional requirements:
- The orig and dest claims in the payload must be telephone numbers
- There must be a payload claim for attestation. Values can be:
- Full attestation
- Partial attestation
- Gateway attestation
- There must be a claim in the payload for orig ID, a globally-unique string that helps with traceback.
Rich Call Data
Rich Call Data (RCD) provides a way to send additional information about the caller in the PASSporT, including caller name, logo image, a text field for call reason, and many others.
Currently, RCD can be sent in either a base or SHAKEN PASSporT. There is an IETF draft for an RCD PASSporT extension. The only new requirement is that the PASSporT payload must include a claim for the caller name.
The draft standards describe ways to link additional external information and sign it with integrity checks.
What happens when a signed call is forwarded to another number? SHAKEN verification won’t work, because the called number is changed when the call is forwarded. The SHAKEN PASSporT still includes the original called number. They don’t match.
That’s what a _DIV_ PASSporT is for.
A Diversion (DIV) PASSporT is to be generated by the service provider that does the call forwarding. It provides the new called number and is signed using the SHAKEN PKI.
The terminating service provider can then use the original SHAKEN PASSporT and the DIV PASSporTs during SHAKEN verification to verify the call.
The DIV PASSporT is described in ATIS-1000085.v002. It is not yet widely used, which is a problem for SHAKEN verification of forwarded calls. However, we expect that it will become widely used soon.
Delegation is used to describe techniques to extend the trusted framework in customer-of-customer scenarios. Perhaps the originating service provider doesn’t know whether the end user placing the call is a legitimate user of the asserted calling number, but their customer does. Delegate certificates extend the trusted relationship, and a delegation PASSporT extension would standardize the information needed in these scenarios.
There is an IETF draft for a delegation PASSporT extension. In addition to the base PASSporT requirements, delegation PASSporTs would:
- Include TNAuthList to indicate the scope of delegation.
- Provide the entire certification path in the x5u link.
This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.
Updated June 11, 2021 to add the DIV PASSporT.
Our STIR/SHAKEN products:
- Most affordable commercial solutions
- Work with your existing network
- Include support with deployment