U.S. — Canada cross-border SHAKEN

As the U.S. and Canadian telephone ecosystems move toward widespread deployment of STIR/SHAKEN call authentication, questions about cross-border SHAKEN are coming up. Can calls signed in Canada be verified in the U.S., and vice versa? How would that work? Let’s have a look.

Governance requirements

At first glance, cross-border SHAKEN might seem easy. Participating voice service providers are authenticating and verifying calls per standards. Wouldn’t it just work?

No, it wouldn’t. Here’s why.

SHAKEN uses a governance model to ensure that only authorized voice service providers can sign calls. We refer to this as a triangle of trust.

Triangle of trust

The triangle of trust includes the following:

• Policy administrator (STI-PA). Vets and approves certificate authorities and service providers to participate in the SHAKEN ecosystem. The STI-PA is the trust anchor for SHAKEN in a particular country. Each country has its own STI-PA.
• Certificate authorities (STI-CA). Issues SHAKEN certificates to approved service providers.
• Service providers. Creates SHAKEN PASSporTs to attest to call authentication. The PASSporT is cryptographically signed and includes a reference to the SHAKEN certificate that relying parties use to verify the authentication.

When a service provider originates and signs a call, they generate a PASSporT, which includes information about the call. The PASSporT also includes the complete certificate chain.

This certificate chain will be verified by the terminating service provider. The root certificate for the STI-CA must be on the list of approved CAs.

Certificate chain

Here’s the problem: the Canadian and U.S. STI-PAs are different entities with separate lists of authorized CAs. Even though the originating and terminating service providers follow similar standards, calls signed in one country would fail verification in the other country because the CA that issued the SHAKEN certificate in one country isn’t on the PA’s list of approved CAs in the other country.

Cross-border SHAKEN standards

ATIS has published two technical reports on international SHAKEN that aim to solve this problem:

1. Initial Cross-Border SHAKEN (ATIS-1000087). Two countries combine their lists of trusted Certification Authorities. The governance requirements described above would work because the root CA would be on the list of approved CAs in both countries.
2. International SHAKEN (ATIS-1000091). An international SHAKEN registry is created to map E.164 country codes to each country’s PA. Each country’s PA would use analytics to decide which countries to trust and exchange trusted CA lists.

An early adaptation

Neither the initial nor the full international SHAKEN mechanisms are currently in effect. However, an early adaptation of the initial cross-border mechanism for calls between the U.S. and Canada is possible today.

With this workaround, terminating service providers would fetch the list of approved CAs in the neighbor country and merge it with the list of approved CAs in their home country. For example, U.S. service providers would fetch the list of Canadian CAs (there’s only one) and merge it with U.S. CAs. Canadian service providers would fetch the list of U.S. CAs and merge it with the list of Canadian CAs.

TransNexus solutions

We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms. These solutions can be used by service providers in the U.S. and Canada. They provide the cross-border SHAKEN early adaptation described above. Calls signed in Canada can be verified in the U.S., and vice versa.

In addition, we help service providers with all aspects of STIR/SHAKEN deployment, including registering with the Policy Administrator and filing their Robocall Mitigation certification with the FCC.

Contact us today to learn more.