New Governance Authority guidance on improper attestation

The STI Governance Authority (STI-GA) issued new guidance to define improper attestation in STIR/SHAKEN. This article reviews the issues and guidance.

STIR/SHAKEN attestation criteria

The STIR/SHAKEN standards describe attestation criteria in ATIS-1000074, clause 5.2.4.

The SHAKEN framework defines the following three levels of attestation:

  1. Full Attestation: The signing service provider shall satisfy all of the following conditions:
    • Is responsible for the origination of the call onto the IP-based service provider voice network.
    • Has a direct authenticated relationship with the customer and can identify the customer.
    • Has established a verified association with the telephone number used for the call.
  2. Partial Attestation: The signing service provider shall satisfy all of the following conditions:
    • Is responsible for the origination of the call onto the IP-based service provider voice network.
    • Has a direct authenticated relationship with the customer and can identify the customer.
    • Has NOT established a verified association with the telephone number being used for the call.
  3. Gateway Attestation: The signing service provider shall satisfy the following condition:
    • Has no relationship with the originator of the call (e.g., international gateways).

STI-GA guidance

The STI-GA published a document, Definition of Improper Attestation, in the Resources section of their website.

Why did they do this? Here’s what they wrote:

Because the STI-GA and its industry partners may need to investigate improper use of STI certificates as part of the token revocation process, an agreed definition of Improper Attestation is being published to support STI GA processes and policies.

And here is their definition of Improper Attestation:

An Improper Attestation includes any call where an originating service provider (OSP) signs a call with a level of Attestation inconsistent with the information it has, or is required to have, about the call.

The guidance document includes examples of improper attestations. Here are a few that caught our eye:

  • A-level attestation on an illegally spoofed call
  • B-level attestation where the originating provider has not validated the customer.

Telecom service providers should take note of this. The STI-GA is saying that improper attestation is part of the token revocation process.

We interpret this to mean that a service provider could potentially lose its authorization to authenticate calls using STIR/SHAKEN if it authenticates calls with improper attestation.

The crucial takeaway is that attestation levels matter and should not be abused.

verified banner

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.