[VoiceOps] STIR/SHAKEN warning!

Mary Lou Carey marylou at backuptelecom.com
Mon Jul 3 14:53:32 EDT 2023


My understanding is that they can still sign for you, but they should be 
signing with YOUR certificate/token and not their own. That only adds 
the cost of the certificate/token to your budget.

MARY LOU CAREY
BackUP Telecom Consulting
Office: 615-791-9969
Cell: 615-796-1111

On 2023-07-03 01:45 PM, Carlos Alvarez via VoiceOps wrote:
> I would love an update here.  We are an ultra tiny MSP, and have been
> told all along by the major ULCs we use that we’re fine.  They are
> signing, all good.  This is a monstrous change relative to our size
> and capital.
> 
> On Jul 3, 2023 at 11:09:33 AM, Mary Lou Carey via VoiceOps
> <voiceops at voiceops.org> wrote:
> 
>> Thanks for the input, Mark! I'm going to call my contacts at the
>> FCC as
>> well and ask specifically what their stance o this is because from
>> what
>> I've heard they plan to start enforcing STIR/SHAKEN in August. That
>> could be devastating to many since so many of the underlying
>> carriers
>> have been telling their clients they don't need their own
>> certificate/token.
>> 
>> MARY LOU CAREY
>> BackUP Telecom Consulting
>> Office: 615-791-9969
>> Cell: 615-796-1111
>> 
>> On 2023-06-30 05:28 PM, Mark R Lindsey wrote:
>> 
>>> Like Mary Lou, I'd like to help all voice service providers get
>>> their
>> 
>>> STIR/SHAKEN implementations up and running. And it's crucial to do
>> 
>>> verification as well as attestation! [1]
>> 
>>> 
>> 
>>> There are a lot of good options -- I'm personally seeing a lot of
>> 
>>> activity around Neustar, Sansay, and Transnexus. I personally like
>>> to
>> 
>>> implement the HTTPS REST interface, but most implementations are
>>> doing
>> 
>>> it with SIP and 302. I think I've configured over 10 different
>> 
>>> variations so far. There are tons of technical methods.
>> 
>>> 
>> 
>>> BUT... the rules on this third-party SHAKEN are not completely
>>> clear
>> 
>>> cut; I tell my clients that "the jury is still out," because the
>>> FCC
>> 
>>> is still seeking comment on whether this is appropriate. I'm
>>> expecting
>> 
>>> rules to be issued clarifying it.
>> 
>>> 
>> 
>>> To read more about where the FCC is on this, see the section
>>> starting
>> 
>>> at Paragraph 99 in FCC-23-18A1 published March 17, 2023:
>> 
>>> 
>> 
>>>> We seek comment on whether, and under what circumstances, a
>>> third
>> 
>>>> party may authenticate calls on behalf of a provider with A- or
>> 
>>>> B-level attestations consistent with the ATIS standards.
>>> Pursuant to
>> 
>>>> ATIS-1000074, in order to apply a B-level attestation for a
>>> call,
>> 
>>>> the signing party must originate the call onto the IP-based
>>> service
>> 
>>>> network and have a direct authenticated relationship with the
>> 
>>>> customer.An A-level attestation additionally requires the
>>> signing
>> 
>>>> provider to establish a verified association with the telephone
>> 
>>>> number used for the call.341 Can a third-party authenticating a
>>> call
>> 
>>>> on behalf of an originating provider satisfy all or any these
>> 
>>>> criteria, and if so, how? Does the answer to that question
>>> depend on
>> 
>>>> the nature of the relationship between the originating provider
>>> and
>> 
>>>> the third party? For instance, is it possible for a third party
>>> that
>> 
>>>> is a wholesale provider for a reseller, or an intermediate
>>> provider,
>> 
>>>> to apply A- or B-level attestations on behalf of an originating
>> 
>>>> provider in a manner that complies with the ATIS
>>> attestation-level
>> 
>>>> criteria, but not a different type of third party? Are there
>>> third
>> 
>>>> parties authenticating calls on behalf of originating providers
>>> that
>> 
>>>> can only apply C-level attestations under the ATIS criteria? If
>> 
>>>> commenters contend that third parties can meet the ATIS criteria
>>> for
>> 
>>>> signing calls with A- and B-level attestations because they
>> 
>>>> effectively stand in the shoes of the originating provider with
>>> the
>> 
>>>> direct relationship with the customer, we ask that they specify
>>> the
>> 
>>>> legal bases for that conclusion, e.g., the specific grounds for
>>> an
>> 
>>>> agency theory, if any, and/or how the terms of the ATIS
>>> standards
>> 
>>>> may be construed to include the third-party arrangement.
>> 
>>>> 
>> 
>>>> To the extent commenters contend that third parties may satisfy
>>> the
>> 
>>>> criteria to sign calls with A- or B-level attestations, what
>> 
>>>> information must be shared between originating providers and
>>> third
>> 
>>>> parties for those attestation levels to be applied, is that
>> 
>>>> information sharing occurring, and does it implicate any legal
>>> or
>> 
>>>> public interest concerns, including privacy concerns?
>> 
>>> 
>> 
>>> Read it here:
>>> https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf
>> 
>>> 
>> 
>>> Mark R Lindsey | +1-229-316-0013 | mrl at ecg.co | Schedule a Meeting
>>> [2]
>> 
>>> | Newsletter [3]
>> 
>>> 
>> 
>>>> On Jun 30, 2023, at 17:00, Mary Lou Carey via VoiceOps
>> 
>>>> <voiceops at voiceops.org> wrote:
>> 
>>>> 
>> 
>>>> I've heard from several clients that their upstream carrier told
>> 
>>>> them they don't need to worry about being STIR/SHAKEN compliant
>> 
>>>> because they are taking care of everything for them.
>> 
>>>> 
>> 
>>>> THAT IS NOT CORRECT! Every phone company is required to have its
>>> own
>> 
>>>> certificate/token!
>> 
>>>> 
>> 
>>>> It doesn't matter if you're a reseller or a facilities-based
>> 
>>>> carrier. Whoever bills the customer is the carrier of record and
>>> is
>> 
>>>> responsible for signing the customer's calls with THEIR OWN
>> 
>>>> certificate/token. While an upstream carrier can sign calls for
>>> your
>> 
>>>> company, they must sign with YOUR certificate/token - not their
>>> own
>> 
>>>> because they don't have a direct connection with your customer.
>> 
>>>> 
>> 
>>>> Please understand that you're putting your network at risk when
>>> you
>> 
>>>> share a token with another company because there's no way to
>> 
>>>> differentiate between traffic when it's all under the same
>> 
>>>> certificate/token. If your upstream carrier signs all their
>> 
>>>> customer's traffic with their token, it only takes one bad
>>> customer
>> 
>>>> to shut their whole network down. The only way to protect your
>> 
>>>> company from other companies' mistakes is to make sure your
>>> upstream
>> 
>>>> carrier is signing your calls with your certificate/token.
>> 
>>>> 
>> 
>>>> One may not think they can get away with using someone else's
>> 
>>>> certificate/token because it would be difficult to monitor the
>>> call
>> 
>>>> stream for offenders. Let me just tell you the ITG can easily
>> 
>>>> compare the Robocall Mitigation Database with the Approved
>>> Carriers
>> 
>>>> list to locate the companies that don't have their own
>> 
>>>> certificate/token. They don't need to look at traffic to
>>> determine
>> 
>>>> that.
>> 
>>>> 
>> 
>>>> Please don't play Russian roulette with your company because
>>> it's
>> 
>>>> not worth losing your whole business over the cost of a
>> 
>>>> certificate/token. Getting your own certificate/token can take
>> 
>>>> anywhere from 2 weeks to 2 months depending on where you are in
>>> the
>> 
>>>> process. From what I've heard, the FCC will start blocking
>>> traffic
>> 
>>>> in August so if you haven't started the process....do so now!
>> 
>>>> 
>> 
>>>> MARY LOU CAREY
>> 
>>>> BackUP Telecom Consulting
>> 
>>>> Office: 615-791-9969
>> 
>>>> Cell: 615-796-1111
>> 
>>>> _______________________________________________
>> 
>>>> VoiceOps mailing list
>> 
>>>> VoiceOps at voiceops.org
>> 
>>>> https://puck.nether.net/mailman/listinfo/voiceops
>> 
>>> 
>> 
>>> 
>> 
>>> 
>> 
>>> Links:
>> 
>>> ------
>> 
>>> [1]
>> 
>>> 
>> 
> https://www.linkedin.com/pulse/stirshaken-how-investigators-can-tell-youre-compliant-mark-lindsey/?trackingId=ooNgRZYHQ5eltXyut2F7dw==
>> 
>>> [2] https://ecg.co/lindsey/schedule
>> 
>>> [3]
>> 
>>> 
>> 
> https://www.linkedin.com/newsletters/mark-lindsey-voice-7021614437413330944/
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops


More information about the VoiceOps mailing list