[VoiceOps] All carriers must get their STIR/SHAKEN certificate by June 30th!
Peter Beckman
beckman at angryox.com
Fri Jun 2 15:48:36 EDT 2023
What is the most affordable and fast way to get a cert? E.g. how much
should one pay, and to whom?
On Fri, 2 Jun 2023, Mary Lou Carey via VoiceOps wrote:
> VOIP carriers were not typically considered facilities-based because
> they didn't have their own switch, circuits, or NXXs connected to the
> ILECs. Now they can get their own NXXs if they get numbering
> authorization from the FCC, but their PSTN connections still have to
> ride another carrier's network to be connected to the ILEC so they still
> fall under non-Facilities based like resellers do.
>
> The only companies that are still exempt are the ones whose entire
> networks are completely operated via SS7 trunking. The only reason they
> are allowed to be exempt is that STIR/SHAKEN doesn't work well on an SS7
> network. Since no one has been able to figure out a way to solve that
> problem, they can't require them to be compliant. So if any portion of
> your network operates on VOIP, then you need to get a STIR/SHAKEN
> certificate for that portion of your network.
>
> Sucks I know, but
>
>
>
> MARY LOU CAREY
> BackUP Telecom Consulting
> Office: 615-791-9969
> Cell: 615-796-1111
>
> On 2023-06-01 09:23 PM, Nathan Anderson via VoiceOps wrote:
>> Thanks both to you and Mary Lou for your thoughtful responses.
>>
>> Okay, so just to be clear, the remaining carriers for whom the June
>> 2023 deadline applies to are providers who provide dialtone to
>> end-users via POTS, but who originate at least some of the calls from
>> those end-users to the PSTN via an IP peer/trunk, and it is
>> specifically those calls that they now need to start signing but were
>> exempt from doing so until a month from now? And the reason that they
>> didn't have to implement a year ago (but pure IP-based interconnected
>> VoIP providers with < 100K subs *did*) is because § 64.6304(a)(1)(i)
>> only applies to "non-facilities-based" providers, and if a telecom is
>> building and maintaining POTS circuits to end-users, they are
>> facilities-based by definition?
>>
>> This gets us into the weeds on the definition of "facilities-based".
>> I assume that the "facilities" in question must be facilities with
>> traditional telecom switching equipment (either analog or TDM). So
>> even if you run your own pure IP network end-to-end with no underlying
>> leased circuits, and outright own your physical data centers where you
>> house and run all of your own routers and SIP proxies, if 100% of your
>> voice subscriber base is provisioned via VoIP, even if the end-user's
>> VoIP equipment is talking to a server that you own, run, and maintain
>> in your own data center "facilities", you still do not count as a
>> "facilities-based" telecom, correct?
>>
>> Is there some "minimum" amount of actual TDM you can be running on
>> your network in order for you to meet the definition of -- or claim
>> for yourself the status of -- "facilities-based"? If someone had zero
>> POTS circuits built to any of their end-users & all of their users are
>> connected to their voice network via VoIP, but they have a single ICA
>> with a single LEC, a TDM trunk between them and that LEC (where they
>> immediately gateway the TDM traffic to/from IP as it ingresses or
>> egresses their network), and a presence on the SS7 network...are they
>> now considered to be "facilities-based"? And would they similarly
>> have had all of their IP-trunked origination (calls that weren't going
>> out via their TDM connection to the LEC) exempted until this year, if
>> they had under 100K subs?
>>
>> As far as my question about white-labeling service goes, to be clear,
>> we aren't in this category and have been signing our customers' calls
>> with our own SHAKEN cert for the past year. But I know of plenty of
>> other providers of similar size & scale (regional ISP whose bread and
>> butter is internet connectivity, but with a small sprinkling of VoIP
>> on top) who want to have a VoIP offering for various reasons, but
>> simply outsource 100% of the VoIP component to a white-labeler. They
>> bill the customer for the service, and presumably have a 499 Filer-ID
>> and file As and Qs with USAC, but they have nothing to do with the
>> underlying voice service...ATAs get drop-shipped to customers from the
>> white-labeler when service is ordered, the ISP doesn't have any hand
>> in the provisioning, they don't operate a single SIP proxy or media
>> gateway, they have zero numbering resources of their own and zero ICAs
>> with other carriers, etc. It's like the interconnected VoIP
>> equivalent to reselling an ILEC analog POTS line...they're just a
>> middle-man when it comes to billing (and thus, as an indirect result,
>> to collecting and remitting USF) and front-line support.
>>
>> Now of course, many wholesale origination providers these days support
>> having you house your SHAKEN cert on their server & will sign your
>> outgoing calls for you with your own cert, and even those that don't
>> do this will still pass your own signature/Identity header in the SIP
>> INVITEs you send to them unmolested. But to be able to do the latter,
>> you need to be running a SIP proxy or B2BUA somewhere between the
>> end-user and your wholesale provider, which these other providers I'm
>> talking about aren't doing. And it's not at all clear to me that
>> most?/many?/any? *white-label* interconnected VoIP providers are set
>> up to do the former...they're all STIR/SHAKEN compliant of course, but
>> I'd guess they are signing all of the calls they originate with their
>> own cert.
>>
>> That's only an educated guess on my part, of course, since I've been
>> looking around even after asking here, and have yet to find any first-
>> or even second-hand accounts one way or the other.
>>
>> -- Nathan
>>
>> -----Original Message-----
>> From: David Frankel [mailto:dfrankel at zipdx.com]
>> Sent: Thursday, June 1, 2023 1:45 PM
>> To: 'Mary Lou Carey'; Nathan Anderson
>> Cc: 'Voice Ops'
>> Subject: RE: [VoiceOps] All carriers must get their STIR/SHAKEN
>> certificate by June 30th!
>>
>> I am not an attorney; this is not legal advice.
>>
>> The (primary) purpose of STIR/SHAKEN was not to help the ITG. The
>> purposes
>> are to (at the terminating or called-party end of the call) identify
>> the
>> entity responsible for originating the call, and allow that entity to
>> signal
>> what they know about the association between the caller and the calling
>> number.
>>
>> We are just about to the point (end of this month) where virtually all
>> providers are required to sign the calls they originate and send onward
>> via
>> IP. That includes providers that serve so-called POTS customers (when
>> those
>> POTS customers place calls sent via other providers). See 47 CFR §
>> 64.6301(a)(2)
>>
>> This applies to the ORIGINATING provider. The expectation, as made
>> clear in
>> the implementing specs and regulations, is that the originating
>> provider
>> KNOWS who the caller is. ATIS says (ATIS-1000088): "Has a direct
>> authenticated relationship with the customer and can identify the
>> customer."
>>
>> If you are a reseller and you are the one with the "direct
>> authenticated
>> relationship with the customer" then your (A- or B-) signature should
>> be on
>> the calls. As noted, you can get a SHAKEN token and delegate the
>> signing to
>> your underlying provider. But it will be your name, and your
>> reputation, on
>> the calls.
>>
>> If you are an underlying provider and you do NOT know who the customer
>> is,
>> then insist that your reseller get a token and either sign the calls or
>> delegate that to you (with their token). If you do not know anything
>> about
>> the caller, then you are risking your reputation (and perhaps more) by
>> signing those calls.
>>
>> More of my thoughts on this topic are here:
>> https://legalcallsonly.org/attestation-inflation-the-abcs-of-signing-calls/
>>
>> If you find the regulations confusing, your best bet is to play it
>> safe.
>> That would mean signing calls with your OWN token when your direct
>> customer
>> is the one initiating the calls (that is, they are the "caller" for
>> legal
>> purposes and they are going to take responsibility for conformance of
>> the
>> calls to ALL the applicable regulations -- and there are many,
>> including
>> TCPA, TSR, fraud, and state statutes). You, as the originating
>> provider,
>> still have a set of responsibilities here -- see 47 CFR § 64.1200(n)(3)
>> as
>> ONE EXAMPLE. If the calls come to you from an entity that is not the
>> one
>> initiating the calls, then insist that the calls are signed when you
>> get
>> them (or that your customer provides you with their token so you can
>> affix
>> their signature).
>>
>> As Mary Lou indicates, you are playing Russian roulette if you are
>> originating calls and they do not bear your signature. And your
>> underlying
>> provider is doing the same if they are accepting those calls unsigned
>> and
>> sending them onward.
>>
>> The FCC has a Further Notice of Proposed Rulemaking that is open for
>> comment
>> RIGHT NOW on the topic of "Third-Party Caller ID Authentication." The
>> FNPRM
>> is available here:
>> https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf.
>> See starting at paragraph 97. Initial public comments on this FNPRM are
>> due
>> June 5 (Monday) and Reply Comments are due a month later. You'll be
>> able to
>> read (and file) comments here:
>>
> https://www.fcc.gov/ecfs/search/search-filings/results?q=(proceedings.name:(
>> %2217-97%22)). Once comments are filed the FCC will likely issue an
>> Order in
>> due course, which may be clarifying or confusing or both or neither.
>>
>> David Frankel
>> ZipDX® LLC
>> St. George, UT USA
>> Tel: 1-800-FRANKEL (1-800-372-6535)
>> Visit My Robocall Blog
>>
>> -----Original Message-----
>> From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Mary Lou
>> Carey
>> via VoiceOps
>> Sent: Thursday, June 1, 2023 2:01 PM
>> To: Nathan Anderson <nathana at fsr.com>
>> Cc: Voice Ops <voiceops at voiceops.org>
>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>> certificate
>> by June 30th!
>>
>> US telecom brain trust? Wow......I don't even know what to say, but I'm
>> thinking I should send my 21-year-old your way because he thinks he's a
>> lot
>> smarter than I am. LOL!
>>
>> Im going to preface my response by saying I'm not sure anyone knows
>> exactly
>> what the ruling means because I've called the FCC and STI-GA multiple
>> times
>> to ask specific questions like yours. Any time my question gets too
>> detailed, I've been told to go read the ruling myself because they
>> aren't
>> attorneys and don't want to give legal advice that would steer me in
>> the
>> wrong direction. I don't know of any attorneys that have felt so
>> comfortable
>> discussing the details of the network that they have gone out on a limb
>> to
>> explain it to everyone either, so I can only tell you what I think
>> based on
>> what I've been told to date.
>>
>> My understanding from talking to the FCC and STI-GA is that the purpose
>> of
>> STIR/SHAKEN was to help the ITG identify all the players in the
>> industry so
>> the ITG can more easily shut down the bad players and if necessary the
>> providers that enable those bad players. To me, that means regardless
>> of
>> whether a company has its own network, leases another carrier's
>> network, or
>> resells services, the FCC wants to identify every player in the
>> network. We
>> can debate which networks are exempt and which networks aren't, but
>> ultimately there's not a lot you can do if the powers that be decide
>> your
>> network should be compliant and it's not.
>>
>> The choice to get a STIR/SHAKEN certificate is ultimately up to each
>> company. They can either play it safe and get a token or they can play
>> Russian Roulette with their business and not get a token. To date, I've
>> seen
>> the FCC/ITG give non-compliant carriers 30 days to become compliant,
>> but
>> that's not always enough time. I don't know if that is going to change
>> after
>> the deadline, but it could. It's not that difficult to get your own
>> certificate and if another carrier is already signing your calls it's
>> not
>> that much more cost-wise to have your own certificate. So to me it's
>> better
>> to be safe than sorry.
>>
>> I hope that helps,
>>
>> MARY LOU CAREY
>> BackUP Telecom Consulting
>> Office: 615-791-9969
>> Cell: 615-796-1111
>>
>> On 2023-05-31 09:33 PM, Nathan Anderson via VoiceOps wrote:
>>> I do find this a little confusing.
>>>
>>> It's already clear that POTS service has been made exempt "until
>>> further notice". So when the small operators exemption deadline was
>>> pushed up from end of June 2023 to end of June 2022, that -- by
>>> logical deduction -- could only have included small interconnected
>>> VoIP operators (which I believe was made explicitly clear anyway, but
>>> even if it had been ambiguous in the language, ...).
>>>
>>> So, out of all the interconnected VoIP operators in the States large
>>> OR small...who the heck is left who HASN'T already been required to
>>> have it implemented on their network by this point?? I don't
>>> understand who this June 2023 deadline applies to: the POTS circuit
>>> providers aren't covered by it, and all sizes of interconnected VoIP
>>> providers should have already implemented it a year ago at the latest.
>>>
>>> Another question that occurs to me (I could probably find the answer
>>> to this question with a little searching, but since I'm already here
>>> talking to the U.S. telecom brain-trust): would a provider who merely
>>> supplies white-labeled service from another interconnected VoIP
>>> provider and slaps their own name on it be required to obtain their
>>> own SHAKEN cert, and have the underlying VoIP provider sign any of
>>> their customers' calls with that cert instead of a cert belonging to
>>> the actual VoIP provider, even if the white-labeler/reseller has
>>> literally nothing to do with the network at all that services the
>>> calls?
>>>
>>> -- Nathan
>>>
>>> -----Original Message-----
>>> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of
>>> Michael Graves via VoiceOps
>>> Sent: Wednesday, May 31, 2023 1:12 PM
>>> To: Mary Lou Carey; Alex Balashov
>>> Cc: voiceops at voiceops.org
>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>> certificate by June 30th!
>>>
>>> There was an extension for "small" providers (under 100k lines) ends
>>> on June 30, 2023.
>>>
>>> That extension was basically was targeting rural LECs. It was amended
>>> so it only included those who have physical infrastructure to their
>>> clients.
>>>
>>> Those who do not operate such legacy infrastructure are supposed to be
>>> signing their calls as of June 30, 2022.
>>>
>>> There are further "gateway" orders about how any operator is supposed
>>> to handle calls arriving on their network that are not signed.
>>>
>>> Michael Graves
>>> mgraves at mstvp.com
>>> o: (713) 861-4005
>>> c: (713) 201-1262
>>> sip:mgraves at mjg.onsip.com
>>>
>>> -----Original Message-----
>>> From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Mary Lou
>>> Carey via VoiceOps
>>> Sent: Wednesday, May 31, 2023 2:46 PM
>>> To: Alex Balashov <abalashov at evaristesys.com>
>>> Cc: voiceops at voiceops.org
>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>> certificate by June 30th!
>>> Importance: High
>>>
>>> Any carrier that provides originating VOIP or a combination of
>>> originating VOIP / PSTN / Wireless VOICE services needs to get its
>>> own certificate. My understanding is that only those who provide
>>> PSTN-only voice services do not need to have their own STIR/SHAKEN
>>> token because the technology still does not support it.
>>>
>>> Mary Lou Carey
>>> (615) 796-1111
>>>
>>> MARY LOU CAREY
>>> BackUP Telecom Consulting
>>> Office: 615-791-9969
>>> Cell: 615-796-1111
>>>
>>> On 2023-05-31 02:11 PM, Alex Balashov wrote:
>>>> Hi Mary Lou,
>>>>
>>>> Thank you for this.
>>>>
>>>> A stupid - and certainly belated - question: how exactly is a carrier
>>>> defined, in the letter of the regulations underlying this deadline?
>>>> Or to put it another way: who, as a VoIP service provider of one sort
>>>> or another, _doesn't_ have to get their own token?
>>>>
>>>> -- Alex
>>>>
>>>>> On May 31, 2023, at 1:46 PM, Mary Lou Carey via VoiceOps
>>>>> <voiceops at voiceops.org> wrote:
>>>>>
>>>>> Hey all,
>>>>>
>>>>> I just wanted to send out a reminder that the drop dead date for all
>>>>> carriers to get THEIR OWN STIR/SHAKEN certificate is coming up on
>>>>> June 30th. You can still have an underlying carrier sign your calls
>>>>> for you, but they must sign with YOUR token......not their own! You
>>>>> have to register with the STI-PA to start the process at this link:
>>>>>
>>>>> https://authenticatereg.iconectiv.com/register
>>>>>
>>>>> You must have your own IPES Company Code (aka OCN) and 499 filer ID
>>>>> to get a STIR/SHAKEN certificate. Just getting the certificate can
>>>>> take up to several weeks so please don't wait until the last minute
>>>>> to get one. I would hate to see anyone's network get shut down
>>>>> because they aren't signing their calls as per the FCC guidelines.
>>>>>
>>>>> MARY LOU CAREY
>>>>> BackUP Telecom Consulting
>>>>> Office: 615-791-9969
>>>>> Cell: 615-796-1111
>>>>> _______________________________________________
>>>>> VoiceOps mailing list
>>>>> VoiceOps at voiceops.org
>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>> _______________________________________________
>>> VoiceOps mailing list
>>> VoiceOps at voiceops.org
>>> https://puck.nether.net/mailman/listinfo/voiceops
>>> _______________________________________________
>>> VoiceOps mailing list
>>> VoiceOps at voiceops.org
>>> https://puck.nether.net/mailman/listinfo/voiceops
>>> _______________________________________________
>>> VoiceOps mailing list
>>> VoiceOps at voiceops.org
>>> https://puck.nether.net/mailman/listinfo/voiceops
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman at angryox.com https://www.angryox.com/
---------------------------------------------------------------------------
More information about the VoiceOps
mailing list