[VoiceOps] STIR/SHAKEN warning!

Nathan Anderson nathana at fsr.com
Thu Jul 6 18:45:26 EDT 2023 

Good catch.  I just casually scrolled through the list of companies in the Robocall Mitigation Database & stumbled across a Panamanian company and an Australian company that both claim to have "complete" STIR/SHAKEN implementations.  Yet I can confirm that neither company shows up either in the 499 Filer ID database, nor in iconectiv's list of Service Provider accounts that they have authorized to have access to the STI-PA and to generate SP tokens.  The FCC FRNs for both companies were also generated fairly recently.

I wonder if these foreign companies got concerned about making sure that international calls originating from their networks were getting signed with a high attestation on ingress into the U.S., arranged for this to be the case with whomever they are interconnecting with over on our shores, thought that they had to be listed in the RMD for some reason (do they? Are int'l telecoms required to be in the RMD and file an actual mitigation plan if they want to originate calls to the U.S.?), also assumed/misunderstood that having another party sign & attest their calls for them is enough to claim a "complete" implementation, and so that's why they filed the way they did.  (Trying to be generous / assume the best here.)

Since implementing S/S in the U.S. requires a 499 Filer ID, it is actually kind of infuriating that the RMD does not have 499 Filer ID as a required field on their form.  That would nip this issue right in the bud if they did.

-- Nathan

-----Original Message-----
From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Markus via VoiceOps
Sent: Thursday, July 6, 2023 1:07 PM
To: voiceops at voiceops.org
Subject: Re: [VoiceOps] STIR/SHAKEN warning!

Am 04.07.2023 um 07:35 schrieb Paul Timmins:
>> What if I'm an European telecom operator and have US-based end-users (via SIP) who are calling to the US and who would like to signal their United States A-number to the called party?
>>
>> What if I'm an European telecom operator and have Euro end-users (via SIP) who are calling to the US and who would like to signal their European A-number to the called party?
>>
>> If I try to register here - https://authenticatereg.iconectiv.com/register - "Country: United States" is hard-coded.
>>
>> Is there a way for Euro TSPs to get STIR/SHAKEN without creating a US entity/company just for this purpose?
> 
> I'm pretty sure it's the job of whoever is providing gateway services into the USA to sign the call, and that anyone in the STIR/SHAKEN system in the US has some sort of regulatory nexus here where they could be held legally responsible. It's all about finding a throat to choke if there's misconduct.

I asked iconectiv that question and now I have clarity:

Me:
"I have some fundamental questions about STIR/SHAKEN: What if I'm an 
European telecom operator and have US-based end-users (via SIP) who are 
calling to the US and who would like to signal their United States 
A-number to the called party? -> Do we need to get a STIR/SHAKEN 
certificate? [...]"

iconectiv:
"The revised SPC token Access Policy requires providers seeking to 
register with the STI-Policy Administrator (STI-PA) to:
1) Have a current form 499A on file with the FCC;
2) Have been assigned an Operating Company Number (OCN); [...]

Me:
"Since registering as 499A and getting an own OCN is only possible for 
US companies, I figure getting a STIR/SHAKEN certificate through you is 
currently not possible for non-US companies. Is that correct?"

iconectiv:
"That is correct."

The confusion also came from the fact that many non-US companies that 
registered in the Robocall Mitigation Database - 
https://fccprod.servicenowservices.com/rmd?id=rmd_listings - chose 
"Complete STIR/SHAKEN implementation" or "Partial STIR/SHAKEN 
implementation", which, unless they also have a US subsidiary, seems to 
be a lie. Probably they chose something that looked cool in the dropdown 
box, or were too lazy to develop a Robocall Mitigation Plan (this is 
what you gotta upload as DOCUMENT if you choose "No STIR/SHAKEN 
implementation". I also noticed some non-US companies just uploaded some 
random document to the database, like a high school report or just some 
random letters or words...   so much about the quality of that database.

Good luck
Markus
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

More information about the VoiceOps mailing list