Who should sign SHAKEN calls?

Who should sign calls authenticated with STIR/SHAKEN? It seems a simple question. But when you combine complex calling scenarios with current FCC rules, the answers aren’t so easy. Let’s have a look.

The problem can be described by first looking at a quick summary of the SHAKEN standards, then a brief review of the FCC SHAKEN rules.

ATIS SHAKEN documents

The ATIS standard for SHAKEN, ATIS-1000074.v002, says the Originating Service Provider (OSP) signs the call. The OSP is the “signing provider.” Their customer is placing the call. This is the simplest call scenario.

SHAKEN – Simple Scenario

Figure 1. SHAKEN – Simple Scenario

But what about more complex customer-of-customer scenarios?

man thinking

To provide standards-based guidance on the more complex customer-of-customer call scenarios, ATIS developed a technical report, ATIS-1000088, that describes a framework for SHAKEN attestation as described in ATIS-1000074.

Suppose the caller in the example above gets her telephone service from a Reseller or Value Added Service Provider (VASP) that is not authorized to sign calls with SHAKEN. Here’s an illustration.

SHAKEN Reseller Cannot Sign

Figure 2. SHAKEN Attestation — Reseller Cannot Sign

The SHAKEN standards were developed with an expectation that Resellers and VASPs won’t be able to sign calls. Therefore, ATIS-1000088 defined the signing provider, who is authorized by the Policy Administrator to do SHAKEN, as the OSP. The Reseller or VASP is the OSP’s customer. The person making the call is the end user.

ATIS-1000088 then goes into detail in describing how the OSP must know their customer, the Reseller/VASP, to justify a partial attestation. In turn, the customer (Reseller/VASP) must cooperate in this arrangement to let the OSP know that the end user is a legitimate user of the telephone number to justify a full attestation.

This is more complicated than expected. Well, at least ATIS-1000088 clearly defined the roles and provided guidelines.

Then the FCC issued SHAKEN rules that upended this framework.

FCC rules

In their Second Order on SHAKEN, the FCC provided two important determinations:

  1. Voice service is a service “that is interconnected with the public switched telephone network and that furnishes voice communications to an end user, and which includes “without limitation, any service that enables real-time, two-way voice communications, including any service that requires [IP]-compatible customer premises equipment . . . and permits out-bound calling, whether the service is one-way or two-way voice over [IP].
  2. Voice service providers subject to SHAKEN rules include any entity that provides voice service and has control over the network infrastructure necessary to implement STIR/SHAKEN. This includes Over-the-Top carriers.

In November 2020, the STI Governance Authority changed eligibility for service provides to be approved by the STI Policy Administrator. Service providers no longer have to have access to numbering resources. Instead, they must register with the FCC Robocall Mitigation Database. This removed the FCC SHAKEN extension for service providers that cannot obtain a SHAKEN certificate.

This changed everything. The following illustration explains.

SHAKEN Reseller Can Sign

Figure 3. SHAKEN Attestation When the Reseller Can Sign

With the FCC SHAKEN rules and the STI-GA rule change, the roles have changed:

  1. The end user is now also the customer.
  2. The Reseller/VASP is now the OSP and signing provider.
  3. The downstream provider, previously the OSP, is now an intermediate provider.

Downstream signers

There are many Resellers/VASPs that have arranged with a downstream provider to sign calls for them. We are aware of some Reseller/VASPs that have filed their certification in the Robocall Mitigation Database (RMD) asserting that they have done a Complete SHAKEN implementation.

These providers seem to be following the model described in Figure 2, above, where a Reseller/VASP cannot sign calls. They arrange with a downstream provider to sign their calls for them. However, according to the FCC rules, the Reseller/VASP should sign their calls, provided they have control over the necessary network infrastructure.

In some cases, the downstream provider signs calls with the upstream provider’s SHAKEN Service Provider Code and SHAKEN certificate. This seems to follow the FCC rules. The Reseller/VASP is acting as the OSP. They’ve outsourced the signing function to a downstream provider who signs on their behalf. To the Terminating Service Provider (TSP), such calls seem to have been signed by the Reseller/VASP.

In other cases, downstream providers are signing calls on behalf of upstream providers and using their own SPC and SHAKEN certificates to do so. We know this because the Reseller/VASP has not been approved by the Policy Administrator as a SHAKEN provider, yet they have filed their certification in the RMD as having done a Complete SHAKEN implementation.

Does this follow the rules laid out by the FCC in their Second Report and Order on SHAKEN? It doesn’t seem so. If one reads the SHAKEN standards up through ATIS-100088, it seems like a legitimate approach. But when you turn to the Second Report and Order and the STI-GA SHAKEN certificate criteria, then the wheels fall off.

It will be interesting to see how this develops.

TransNexus solutions

We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms. We can make your STIR/SHAKEN deployment a smooth process.

In addition, we help service providers with all aspects of STIR/SHAKEN deployment, including registering with the Policy Administrator and filing their certification with the FCC.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.