[VoiceOps] Production STIR/SHAKEN

Paul Timmins ptimmins at clearrate.com
Mon Jul 27 16:15:48 EDT 2020

T-Mobile is using PA certificates, I'm passing live traffic with them right now. What I've heard so far intercarrier is just Comcast (private cert), T-Mobile (STI-PA cert), Twilio (not sure), and us (STI-PA cert). Verizon and AT&T have just been doing private interconnect from what I understand.


From: VoiceOps <voiceops-bounces at voiceops.org> on behalf of Dave Frigen <dfrigen at wabash.net>
Sent: Monday, July 27, 2020 3:49 PM
To: voiceops at voiceops.org
Subject: Re: [VoiceOps] Production STIR/SHAKEN

Paul, this is in reply to your question posted on July 24th: Currently there are 34 active STI-GA SHAKEN participants authorized to exchange SHAKEN tokens in the U.S. While Canada and the UK are working on SHAKEN, to my knowledge there are no PA’s or CA’s to operate and approve new applicants in those countries.

T-Mobile, Comcast, Verizon, and AT&T were the first four carriers to adopt SHAKEN and are still temporarily using self-signed certificates (not official PA authored certificates that Transnexus and the rest of the U.S. uses). This is due to FCC expectations of having a SHAKEN platform in production at the beginning of the year and there not being a PA (Policy Administrator), nor any CA’s (Certificate Authorities) at that time. Self-signing certificates were the only means of operating the SHAKEN platform in the FCC timeframe. We, as out-of-band (OOB) operators do not have the ability to exchange certs. (certificates) with the self-signers today. It goes without saying that these networks are huge and not easily converted. T-Mobile and Comcast are in the process of converting to official PA authored certificates, they are expected to be on-line in the coming month. Both AT&T and Verizon are in the engineering stages and planning to convert in the future. I reside on a board seat of the national STI-GA governance board as an NTCA representative, and have asked the self-signers to begin publishing their self-signing root addresses so every can exchange tokens in the interim regardless of whether or not they are official PA authored certs. I anticipate self-signing certs going away, and likely within the coming months. In summary, we, as out-of-band (OOB) operators, do not have the ability to exchange certs. with the self-signers today, hopefully they will agree to publish their root certificate addresses soon.

I want to prequalify this next statement by congratulating any TDM provider that is adopting OOB or some sort of TDM SHAKEN technology. You’re doing the right thing, because TDM isn’t going away anytime soon. And all Americans deserve the right to have their calls officially authenticated and verified just like any iP network provider’s calls. OOB and other technologies for use on TDM calls for SHAKEN are in the infant stages and are just now being discussed and considered for permanent TDM standards. The body that is adopting new TDM standards is the PTSC Non-IP Call Authentication Task Force, led by ATIS. Anyone is welcome to become a member of the task force. There is a nominal $250 fee for organizations that are not already an ATIS member. If you want more information on how to join the committee, I’d be glad to help. Belonging to the committee is one of many ways to comply with the FCC’s mandate for TDM providers to adopt SHAKEN.

As to the original question of who to test OOB with, Transnexus to Transnexus will allow for both authentication and verification testing; or Transnexus to Netnumber or Neustar. These would be OOB to OOB calls. Regarding OOB to IP, or the reverse……it’s my understanding that OOB to in-band will only work one way today. OOB can authenticate a PA certificate that in-band can receive. HTTP Post software or a Call Placement Service (CPS) is required for an IP provider to post a token to an OOB provider. With that being said, Wabash is a Transnexus customer and would be more than happy to test OOB SHAKEN with any provider desiring to do so. Let me know and I’ll get you in touch with our engineers.

Lastly, I’d like to add that Wabash originally implemented OOB SHAKEN into a C-15 with no CapEx, just existing translations modifications. After running the Transnexus/ClearIP platform for a while, we decided to upgrade our SBC to a cloud solution for under $100 a month, but to date that is our only capital expense to be OOB SHAKEN enabled. So, don’t let your switch vendor insist that you break-the-bank to operate OOB.


Dave Frigen

Chief Operating Officer

Wabash Communications CO-OP | www.wabash.net

Office: 618.665.3311

[cid:image001.png at 01D66409.4059F990]<https://www.facebook.com/wabashcommunicationscoop/>[cid:image002.png at 01D66409.4059F990]<https://www.instagram.com/wabashcommunications/>[cid:image003.png at 01D66409.4059F990]<https://www.youtube.com/channel/UCWoo3wyybeYEnTpTxK2jbUg> [cid:image004.png at 01D66409.4059F990] <https://www.linkedin.com/company/18788687/admin/>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20200727/a0889d7b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1390 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20200727/a0889d7b/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1304 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20200727/a0889d7b/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1401 bytes
Desc: image003.png
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20200727/a0889d7b/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1499 bytes
Desc: image004.png
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20200727/a0889d7b/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 15208 bytes
Desc: image005.png
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20200727/a0889d7b/attachment-0009.png>

More information about the VoiceOps mailing list