[VoiceOps] Update on STIR/SHAKEN

David Frankel dfrankel at zipdx.com
Wed Jul 12 20:01:17 EDT 2023 

Nathan: Thanks for sharing your thinking and a specific example.

I can't speak for the FCC or the ITG (obviously) and they probably won't
weigh in here. But, as Mary has done, I can share what I hope is a
reasonably accurate perspective.

I hope, Nathan, that the key is your statement: "But sans any violations to
look into...how would they know?" And, I would add, why would they care? If
the group you describe isn't a bunch of trouble-makers, then surely there
are other fish to fry when it comes to compliance issues. Let's put our
focus on the ones that are actually wreaking havoc.

I hadn't heard of Atheral before, but I see that they have a SHAKEN token
per iconectiv, so they can sign calls. They list several customers on their
web page; I spot checked those and the ones I searched do NOT have tokens
but ARE registered in the Robocall Mitigation Database. I did see that a
couple of them had very nicely written Robocall Mitigation Plans (Zirkel,
for example, with Vistabeam in second place) that explained exactly how they
work with Atheral in terms of getting calls signed.

We could debate (and in fact, we are debating at the FCC) whether, for
example, it's OK for Atheral to sign calls with Atheral's token on behalf of
Zirkel. We might argue that Zirkel is the one with the direct authenticated
relationship with their customer, so it should be a Zirkel signature on
those calls. Or you can make a semantic argument that Atheral is the
"Originating Voice Service Provider" and that it is through their agent
Zirkel that they have the customer relationship. Zirkel explains how they
validate the phone numbers that their customers use, and pass that
information on to Atheral for proper attestation. It all appears to be on
the up-and-up. 

Atheral has to understand that by putting the Atheral signature on calls
coming via Zirkel and others, Atheral is putting its own reputation on the
line. So Atheral is presumably motivated to ensure everybody plays nice,
which they probably do at least in part via their contractual agreements.

To my knowledge, the ITG does not "block traffic" or enforce rules about
tokens. The ITG is in the business of traceback, and it makes the
information it gathers through that process available, selectively, to
others that can then act on it. That includes not just government enforcers
but, for example, others in the call chain. If a particular provider is
involved in a traceback, they get visibility to whether their upstream is
responding to that traceback. If not, or if that upstream failed to sign a
call when they should have, then the downstream provider can initiate action
on its own with respect to that upstream.

Back to Atheral -- our RRAPTOR robocall surveillance platform has never
captured a problematic call with an Atheral signature. That doesn't mean we
know for certain that no "bad" robocalls flow via Atheral, but it's probably
safe to say that at the moment, Atheral and its customers aren't a cause of
great concern.

Lastly, thanks Nathan for the nice words about our test tool.

David Frankel
ZipDXR LLC
St. George, UT USA

-----Original Message-----
From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Nathan Anderson
via VoiceOps
Sent: Wednesday, July 12, 2023 4:21 PM
To: 'Voice Ops' <voiceops at voiceops.org>
Subject: Re: [VoiceOps] Update on STIR/SHAKEN

Personally, I'm quite curious to know how the ITG would even be identifying
these companies as being distinct from the wholesaler, at least without a
traceback request for an actual violation, where the investigation (that the
wholesaler would likely be not only cooperative with but actively involved
in) eventually revealed that all of the violations were originating from one
particular customer of theirs.  But sans any violations to look into...how
would they know?

In particular, when asking these questions, what I specifically have in mind
are wholesalers not like VI/Sangoma et al., but more like e.g.
https://atheral.com/, which carries traffic for a bunch of smaller regional
ISPs that want to offer VoIP but don't want any of the headaches associated
with doing so.  So most of them I presume literally own no infrastructure of
their own...no softswitch, no SBC, no nothing.  They might be 499 filers,
but that's likely the extent of their direct regulatory involvement.

I believe Daniel might be hanging around on this list, so perhaps he can
shed some light on how they have been advised to approach this (whether they
are signing all calls with their own SHAKEN cert/key, or whether they can
host SHAKEN certs owned by their customers and sign the end-users of that
customer's calls with that customer's own cert, or a mix of both).

-- Nathan

-----Original Message-----
From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mary Lou
Carey via VoiceOps
Sent: Wednesday, July 12, 2023 1:29 PM
To: voiceops at voiceops.org
Subject: [VoiceOps] Update on STIR/SHAKEN

I spoke with my FCC contact today and was told to read the last order issued
in March so his response wasn't crystal clear. He said the FCC is still in
the process of deciding which types of companies can sign with a third-party
vendor's token and which ones can't.

I told him my concern is that the ITG is going to start blocking traffic in
August and companies won't know that they aren't compliant because their
wholesale provider told them they were fine. I specifically asked, "If the
ITG decides a company should have had its own token, will you give them time
to get one?" He said they have a process for handling these issues, but he
didn't come out and say "Yes" so here's what I would suggest since the
process can sometimes take longer than the 30 days they give you to comply.


If you are using a third-party provider whose signing with their token. 
At least complete the preliminary steps to qualify for your own STIR/SHAKEN
token. That way if they do come to you and tell you that you need to get it
on a moment's notice, you won't be fighting the clock so much. The
pre-requisites for filing with the STI-PA to become an approved carrier are:

1. Order your own OCN (aka company code from NECA) IPES is the correct type
for all VOIP carriers 2. Have your 499 up to date and fees paid. If you've
never filed a 499A yet, get your 499 filer ID and submit your first 499-A.
(All carriers delivering long-distance traffic in the US should have already
completed this step anyways).
3. Robocall Mitigation Plan filed.

There are multiple companies helping carriers get their STIR/SHAKEN
certificate, so it doesn't matter if you use my services or anyone else's. I
just want to make sure everyone is aware of what they need to do to make
sure their traffic doesn't get blocked because thats a lot harder to fix
than getting a certificate/token is!

MARY LOU CAREY
BackUP Telecom Consulting
Office: 615-791-9969
Cell: 615-796-1111
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

More information about the VoiceOps mailing list