STI-GA announces support for enhanced SHAKEN
The U.S. Security Telephone Identity Governance Authority (STI-GA) announced support for two measures that expand SHAKEN functionality and participation in the SHAKEN ecosystem. Delegate certificates will be supported, and Resp Orgs can participate directly in SHAKEN. Here’s a brief overview of how this works and what it will mean.
SHAKEN attestation
The SHAKEN framework has three attestation levels that an Originating Service Provider (OSP) can provide when authenticating a call.
Attestation level | Originated the call | Direct customer authentication | Verified telephone number association |
---|---|---|---|
Full - A | |||
Partial - B | |||
Gateway - C |
These attestation levels encode the OSP’s authenticated direct knowledge of the customer and the customer’s verified use of the calling telephone number.
Scenarios that prevent full attestation
There are several scenarios that prevent full attestation. Here are a few examples:
- Multi-homed Enterprise PBX
- Toll-Free originations
- Multi-tenant hosted/cloud PBX
- Business Process Outsourcing Call Centers
There’s a common thread in these use cases: the OSP often is not the Telephone Number Provider (TN Provider). They can’t verify that the customer has a valid association with the calling number. There’s a knowledge gap between the OSP and the TN provider.
Delegate certificates
Delegate certificates can close the knowledge gap. They enable a TN provider to issue a delegate certificate to a customer that attests to their legitimate use of the telephone numbers that the provider assigned to the customer.
The customer can then place their outbound calls with an assortment of OSPs. None of them may include the TN provider. The delegate certificate enables the OSP to sign the call with full attestation.
Resp Orgs
A Resp Org is responsible for assigning toll free numbers to customers. In this sense, they’re another TN provider: they know the customer, and they know that the customer has a verified association with the toll-free number they assigned to the customer.
With the announced STI-GA policy change, Resp Orgs can issue delegate certificates to their customers, who can place their outbound calls with a variety of OSPs. The delegate certificate enables the OSP to sign these calls with full attestation.
How it works
We have a whitepaper on delegate certificates that goes into detail about how delegate certificates work. Here’s the short version:
- The calling entity, typically an enterprise, obtains delegate certificates from their TN providers. Each delegate certificate covers a number, or range of numbers, assigned by the TN provider. The calling entity puts either a base or RCD PASSporT, signed with a delegate certificate for that calling number, into each call.
- The OSP verifies the PASSporT and delegate certificate and uses this verification as the basis to elevate attestation level to full attestation in a SHAKEN PASSporT that they create for the call. The OSP removes the base or RCD PASSporT and replaces it with the SHAKEN PASSporT.
- The TSP receives the call and verifies the SHAKEN PASSporT as usual.
Next steps
Here’s how these policy changes will be rolled out across the SHAKEN ecosystem:
- STI-CAs will enable their systems to accept delegate certificate requests and issue Subordinate CA certificates to TN providers.
- TN providers will develop systems to:
- Request SPC tokens from the STI-PA
- Request Subordinate CA certificates from STI-CAs.
- Issue delegate certificates to their customers.
- Calling entities will develop systems to request delegate certificates from their TN providers and sign outbound calls by placing base and/or RCD PASSporTs, each signed with an appropriate delegate certificate, into their outbound calls.
- SHAKEN-authorized OSPs will enable their systems to verify calls received signed with delegate certificates and create SHAKEN PASSporTs signed with their SHAKEN certificate.
- TSPs will verify SHAKEN PASSporTs as usual.
Will everyone participate?
We know that enterprise callers are eager to use delegate certificates as soon as possible. Call completion is critical, and full attestation level is invaluable.
We don’t know if every service provider will participate. We’re aware of representatives of some who have said they are reluctant to do this.
However, market forces may pressure service providers into supporting this. If enterprises can’t get this service from some providers, they may take their business elsewhere.
This will be interesting to follow.
Here’s the announcement from the Governance Authority: STI-GA Enhances STIR/SHAKEN Functionality to Authenticate Broader Range of Calls.
TransNexus solutions
We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms. We can make your STIR/SHAKEN deployment a smooth process.
In addition, we help service providers with all aspects of STIR/SHAKEN deployment, including registering with the Policy Administrator and filing their certification with the FCC.
Contact us today to learn more.
Our STIR/SHAKEN products:
- Work with your existing network
- Support SIP and TDM
- Affordable, easy to deploy