[VoiceOps] All carriers must get their STIR/SHAKEN certificate by June 30th!
Mary Lou Carey
marylou at backuptelecom.com
Wed Jun 7 18:09:35 EDT 2023
You can obtain an IPES OCN from NECA by providing a contract with a
customer and a contract with an upstream carrier.
MARY LOU CAREY
BackUP Telecom Consulting
Office: 615-791-9969
Cell: 615-796-1111
On 2023-06-06 09:35 PM, Nathan Anderson wrote:
> Hmm, so after going back and reviewing other things, including
> re-reading some old posts (Mary's included!) from this here mailing
> list, there seems to be some ambiguity and conflicting information. I
> certainly don't want to be guilty of misinforming people, so I'll just
> follow up & summarize here, presenting the one possibility I see as a
> workaround to this problem:
>
> I think the change Mary was referring to was in the STI-PA policy,
> laying out requirements for service providers who want access to
> STI-PA SPC tokens. Originally, they were:
>
> 1. Have a current (most recent complete calendar year) 499A filed.
> 2. Have an OCN.
> 3. Have direct access to numbering resources.
>
> In Q2 2021, requirement #3 was removed and replaced with a new one:
>
> 3. List yourself in the RMP database.
>
> Where the ambiguity comes in is that, despite the official STI-PA
> policy removing this particular requirement, they still require an OCN
> (#2), and as pointed out before, it can't just be an OCN of any type.
> Only an OCN of a type "that is eligible for Numbering Resource
> assignments" is acceptable to them, and what I took away from this was
> that the numbering resource access requirement hasn't actually been
> rescinded. It's seemingly still there, just no longer explicitly
> spelled out in the top 3 requirements...if they intended for that to
> not be a requirement any longer, they really biffed it by creating
> this chicken-and-egg problem when they limited the types of approved
> OCNs.
>
> There seems to be some support for the idea (incl. from Mary!:
> https://puck.nether.net/pipermail/voiceops/2021-May/008895.html) that
> it is now possible to obtain an IPES OCN from NECA without first
> petitioning the FCC for a VoIP numbering resource waiver. NECA
> themselves seems to be of two minds about this: page 4 of
> https://www.neca.org/docs/default-source/public---business-solutions/code-administration/na_procedures0422.pdf?sfvrsn=2b358470_8
> only lists the requirements Mary stated in her May 2021 post that I
> linked to, but the page at
> https://www.neca.org/business-solutions/company-codes/company-code-request-instructions
> says IPES is "only permitted with an FCC waiver".
>
> Okay, so...which is it?
>
> I suppose one way to resolve this ambiguity, in favor of the argument
> that no FCC waiver is required for interconnected VoIP providers, is
> thusly:
>
> * STI-PA will only grant SPC tokens to providers who have a type of
> OCN "that is eligible for Numbering Resource assignments"
>
> * The list of specific OCN types that fall under this category are
> presented at
> https://www.neca.org/business-solutions/company-codes/company-code-request-instructions
> and "IPES" is in the list
>
> * But perhaps NECA will assign IPES OCNs without requiring that you
> produce an FCC numbering waiver for your company, as long as you
> provide the documentation outlined at
> https://www.neca.org/docs/default-source/public---business-solutions/code-administration/na_procedures0422.pdf
>
> * The parenthetical of "(only permitted with an FCC waiver)" on the
> NECA page only means that if you hold an IPES OCN and *want* access to
> numbers, you still have to separately petition the FCC for the
> waiver...but is not meant to imply that you can only be *granted* an
> IPES OCN after having first obtained such a waiver (another ambiguity!
> the parenthetical could arguably be read either way!). Meaning you
> can hold an IPES OCN *without* having access to numbering resources,
> though you could *get* access at any time simply by going through the
> waiver process with the FCC.
>
> In which case, you could argue that none of these seemingly
> contradictory requirements are actually in conflict: IPES OCNs are
> *eligible* (key word) for numbering resources, even if you yourself
> have not yet been granted that eligibility status by the FCC. So as
> long as you come to the STI-PA with an IPES OCN, they won't also try
> to confirm that you have the FCC waiver, and since the IPES OCN is in
> the list of approved OCN types, you are good to go?
>
> Ugh, the mental gymnastics required to arrive at such a conclusion are
> exhausting...you'd think somebody with some authority (e.g., FCC,
> NECA, STI-GA) could unambiguously just state the facts in a central,
> public location one way or the other.
>
> Does anybody here have any first-hand experience with obtaining an
> IPES OCN *and* being approved as a SPC-token-eligible carrier by
> iconectiv *without* having obtained the FCC numbering waiver?
>
> -- Nathan
>
> -----Original Message-----
> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of
> Nathan Anderson via VoiceOps
> Sent: Tuesday, June 6, 2023 5:54 PM
> To: 'Mary Lou Carey'
> Cc: 'Voice Ops'
> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
> certificate by June 30th!
>
> Also note that not all OCN types are accepted by STI-PA. Whatever OCN
> you supply to them MUST be of one of the types "that is eligible for
> Numbering Resource assignments" (page 3 @
> https://authenticate.iconectiv.com/sites/authenticate/files/2021-10/Service_Provider_Guidelines_Issue_6.pdf).
>
> So, for example, none of the reseller OCN types (e.g., LRSL) would be
> eligible.
>
> NECA provides a list of specific OCN types that are eligible for
> numbering resources here:
> https://www.neca.org/business-solutions/company-codes/company-code-request-instructions
>
> They list IPES among them, of course, but with the note that it's
> "only permitted with an FCC waiver".
>
> I believe it was this chain of logic (STI-PA only allows specific OCN
> types, NECA lists them, IPES is among them but specifically says you
> must get an FCC waiver) that led me to conclude that the FCC numbering
> authorization waiver was *still a requirement* specifically if you
> were going the *IPES* route. I have not been able to find anything
> that specifically exempts / rescinds this requirement.
>
> Note that you don't have to actually *have* or even *seek* your own
> numbering resources. You just have to be *eligible* to do so. The
> OCN type you have been granted serves as proof to the STI-PA that this
> is the case.
>
> -- Nathan
>
> -----Original Message-----
> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of
> Nathan Anderson via VoiceOps
> Sent: Tuesday, June 6, 2023 5:39 PM
> To: 'Mary Lou Carey'
> Cc: 'Voice Ops'
> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
> certificate by June 30th!
>
> That note about RMP vs. numbering authorization might be *technically*
> correct purely from the perspective of what the STI-PA themselves
> requires. But my understanding is that to obtain an IPES OCN, you
> still need to jump through the FCC numbering authorization hoops. So
> effectively, the requirement to petition the FCC for numbering
> authorization still applies to the vast majority of interconnected
> VoIP providers, *unless* you apply for an OCN type *other* than the
> IPES one. Would love to know if I'm misreading this..(I'll try to go
> back and refresh myself on what led me to this conclusion,
> too...perhaps the "9th hour" you refer to was so late that this change
> you are talking about didn't happen until well after June 1st of last
> year?)
>
> Also yes, if you apply for CLEC OCN, then that is done state by state
> and not nationally. We went this route because 1) we already had
> obtained CPCNs from the states we operate in some time ago, and just
> hadn't done anything with them 2) we have no plans to expand our local
> coverage area anytime soon, 3) we were concerned enough last year by
> the 30-day FCC comment period & whether we would get approval "in
> time", that CLEC OCNs seemed like they would actually be faster to
> obtain (since we could immediately apply to NECA for OCNs and not have
> to wait on the FCC at all for anything).
>
> The thing that made it a pain was just that initially NECA had
> quibbles with us about the copies of the CPCNs that we provided to
> them, and it took a bunch of back-and-forth communication and
> argumentation to convince them to accept them. Which they finally
> did, and in the end, it still took less than 30 days. And we had
> enough time to spare after that, that we were able to apply to the
> STI-PA, and finally to sign up with a SHAKEN CA and buy a cert, and
> bring the tech stack online on our side to support all of this new
> infrastructure, all before the June 30 deadline. Not sure we could
> have made it if we had been forced to go the IPES route instead (it
> would have been cutting it VERY close, assuming it would have even
> been possible).
>
> Again, this just had to do with our *particular* circumstances &
> timing at the time, so I'm not trying to advise that anybody else do
> it this way...in fact I'd actively join you in discouraging it. Go
> the IPES route if possible. The main problem is that if there is
> anybody at this point who isn't yet signing their calls, and they
> don't even have an OCN yet, well...we're now already into the first
> full week of June. So if my understanding is correct that
> specifically the *IPES* type OCN does still require numbering
> authorization thumbs-up from the FCC in order to obtain one, then it
> would be absolutely impossible for such an entity to meet the June 30
> 2023 deadline while pursuing that strategy.
>
> -- Nathan
>
> -----Original Message-----
> From: Mary Lou Carey [mailto:marylou at backuptelecom.com]
> Sent: Tuesday, June 6, 2023 2:23 PM
> To: Nathan Anderson
> Cc: Peter Beckman; 'Voice Ops'
> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
> certificate by June 30th!
>
> Just so you know there were a few changes made to the process in the
> 9th
> hour of the deadline last year. The Robocall Mitigation plan took the
> place of the requirement to get a VOIP numbering authorization from the
> FCC. So you just need to file a Robocall Mitigation Plan - not the FCC
> Numbering Authorization.
>
> Secondly, CLEC OCNs are assigned by state but if you're VOIP, one OCN
> (aka company code) is assigned for the whole country. The IPES OCN
> covers both interconnected VOIP and non-Interconnected VOIP. Clearly a
> mistake in my opinion because you can't tell a non-interconnected VOIP
> from an Interconnected VOIP but that's the way it is.
>
> You don't want to get a CLEC, Resale or ULEC OCN if you're a VOIP
> provider. It's most advantageous to get the IPES OCN.
>
> MARY LOU CAREY
> BackUP Telecom Consulting
> Office: 615-791-9969
> Cell: 615-796-1111
>
> On 2023-06-02 06:09 PM, Nathan Anderson wrote:
>> Mary's right: there are a lot of moving parts and "hidden costs" to
>> doing this. What follows is largely a "brain dump" on what I know
>> based on what we went through last year.
>>
>> Presumably if you are here on VoiceOps and asking about getting a
>> cert, you likely are a 499 filer already.
>>
>> On top of that, though, as pointed out, you need a STI-PA token issued
>> to you by the Policy Administrator in order to request a SHAKEN cert
>> from one of the approved vendors...the STI-PA essentially "vets" you
>> as an eligible telecom in advance, and then issues you a token, which
>> you in turn have to submit to your SHAKEN CA vendor of choice when you
>> apply to them for a cert. The CA has to validate the token you
>> submitted before they can issue the certificate to you. Unlike with
>> the SHAKEN cert, which is similar to a SSL/TLS cert in that there are
>> many certificate authorities competing with one another for your
>> business, the STI-PA contract has been awarded to a single company:
>> iconectiv. You need to go to them and get set up in their system.
>>
>> In order to be approved by the STI-PA, though, you need to have an OCN
>> issued to your company if you don't have one already. The
>> STI-PA/iconectiv will ask you for this when you sign up with them, and
>> you can't proceed without one. The company that administers all OCN
>> assignments is NECA.
>>
>> As far as costs go, the OCN allocation is a one-time fee, and the
>> prices are published here:
>> https://www.neca.org/business-solutions/company-codes ...the STI-PA
>> fees are annual and based on your telecom revenues as reported on your
>> most recent 499A filing. I can't remember the exact number, but I
>> want to say it's a very small percentage, perhaps even under 1%. But
>> of course there is some "minimum" absolute $ number that it will never
>> be lower than, heh. (Quickly looked that up; looks like that minimum
>> annual figure is $825.) Then there are of course whatever costs you
>> have to pay to consultants or lawyers to help you put all of these
>> puzzle pieces together, which I think was what Mary was largely
>> addressing.
>>
>> I think what Peter was specifically asking about, though, was the cost
>> for the actual SHAKEN certificate itself, and what vendor to use for
>> that. iconectiv maintains an up-to-date list of approved SHAKEN CAs
>> that you can pick from:
>> https://authenticate.iconectiv.com/approved-certification-authorities
>> Vast majority of them don't like to publish their prices & you have to
>> ask. From the research I did last year, pricing basically starts at
>> ~$1,000/year, and that's on the LOW side: the average annual price is
>> actually much higher than that from most CAs. What I can tell you is
>> that we chose to go with Sansay. Theirs was not only the lowest price
>> by far, but their system and policies were also the most reasonable
>> out of all the SHAKEN CAs that I talked to by a *mile*. (As just one
>> example, you essentially get unlimited cert reissues during the year,
>> while many other CAs will charge you if you need to revoke a
>> compromised cert and request a new one.) They went WELL out of their
>> way to help me get onboarded and running, too. Can't say enough good
>> things about them; just everything about the experience of working
>> with them has been top-notch. It's almost like they actually wanted
>> my business!! I recommend reaching out to Carlos Perez w/ Sansay (you
>> can find him hanging out here @ VoiceOps)...he is the man.
>>
>> From just a purely pain-in-the-tuchus perspective, the most difficult
>> process to get through of all the aforementioned ones was definitely
>> obtaining our OCN allocation. But that could just be because of our
>> particular unique circumstances...we chose to tackle it ourselves
>> rather than farm it out, and we applied as a CLEC. If you are purely
>> an interconnected VoIP provider, though, and not an actual CLEC, I
>> have to imagine that taking the IPES "golden path" is going to prove
>> to be much less of a hassle. This will require that you apply to the
>> FCC for a "VoIP Numbering Authorization" before you apply for your
>> OCN:
>> https://www.fcc.gov/wireline-competition/competition-policy-division/numbering-resources/general/voip-numbering
>> -- do note that this has an inherent 30-day built-in wait time, since
>> the FCC requires that your application be open to public comment for a
>> 30 day period before they make a ruling. Which means, unfortunately,
>> that if you haven't already started this process by this point, you
>> aren't going to be able to obtain your OCN before June 30, much less
>> an actual SHAKEN cert.
>>
>> Once you finally have your OCN, you also need to make sure you have a
>> documented robocall mitigation plan filed with the FCC at
>> https://fccprod.servicenowservices.com/rmd?id=rmd_welcome before
>> iconectiv will get you set up on the STI-PA side. Also, once you
>> finally have your SHAKEN cert and are actively signing calls, you need
>> to go back to the FCC robocall mitigation database and update your
>> entry in the database to reflect the fact that you are now STIR/SHAKEN
>> compliant.
>>
>> On the tech stack side, you need to host your SHAKEN cert on a public
>> server so that other telecoms who receive calls from your users can
>> validate that the calls that you are signing are indeed authentic.
>> And your outgoing calls need to include a new field within the SIP
>> headers called "Identity", which is a Base64-encoded version of the
>> signature for that particular call (signed by your private key), along
>> with the URL pointing at your public cert (which is also embedded
>> within the encrypted signature, so when it's decrypted and the two
>> match, that validates that the public cert located at that URL is
>> indeed yours). The payload of the "Identity" header is called a
>> PASSporT (yet another in a series of groan-worthy backronyms...)
>>
>> Virtually all of the SHAKEN cert providers also offer end-to-end
>> solutions for VoIP providers that take care of all of this for you:
>> they'll host your public cert for you on their servers, and many even
>> offer a cloud API or SIP proxy service that will sign your calls for
>> you (by also storing your private key in a secure location on their
>> side & either generating the Identity header for your and sending it
>> back to you so that you can include it in the call, or by having you
>> send your SIP INVITEs to their proxy where they'll just add it to the
>> SIP header for you before they pass the INVITE on to your termination
>> provider). Of course, all these extra services often have additional
>> costs associated with them. Once again, we elected to implement our
>> own solution, and I based it largely on Signalwire's open source
>> "libstirshaken" codebase: https://github.com/signalwire/libstirshaken
>> -- this can integrate directly with FreeSwitch if that's what you use,
>> but in our case I just built the included command-line "stirshaken"
>> demo utility, and shell out to that to generate the PASSporTs which
>> then get added to the SIP header for our outgoing INVITEs.
>>
>> Hope that at least some part of this proves helpful, and good luck,
>>
>> -- Nathan
>>
>> -----Original Message-----
>> From: Mary Lou Carey [mailto:marylou at backuptelecom.com]
>> Sent: Friday, June 2, 2023 1:16 PM
>> To: Peter Beckman
>> Cc: Nathan Anderson; 'Voice Ops'
>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>> certificate by June 30th!
>>
>> I can only give you a ballpark price because it depends on what you
>> need
>> to be done. You need to have an OCN, 499 filer ID, and Robocall
>> Mitigation plan in place before you can apply for the STI-PA. If you
>> have those in place already the cost is obviously less.
>>
>> I have someone that does the filings for my clients. If a company
>> needs
>> everything she charges between $1200-$1500 range not including the
>> NECA
>> fee for the OCN. If the company already has everything except the
>> STI-PA
>> registration then you're looking in the $300 - $500 range. The
>> variance
>> in cost just depends on whether or not there are any issues with your
>> 499 status.
>>
>> MARY LOU CAREY
>> BackUP Telecom Consulting
>> Office: 615-791-9969
>> Cell: 615-796-1111
>>
>> On 2023-06-02 02:48 PM, Peter Beckman wrote:
>>> What is the most affordable and fast way to get a cert? E.g. how much
>>> should one pay, and to whom?
>>>
>>> On Fri, 2 Jun 2023, Mary Lou Carey via VoiceOps wrote:
>>>
>>>> VOIP carriers were not typically considered facilities-based because
>>>> they didn't have their own switch, circuits, or NXXs connected to
>>>> the
>>>> ILECs. Now they can get their own NXXs if they get numbering
>>>> authorization from the FCC, but their PSTN connections still have to
>>>> ride another carrier's network to be connected to the ILEC so they
>>>> still fall under non-Facilities based like resellers do.
>>>>
>>>> The only companies that are still exempt are the ones whose entire
>>>> networks are completely operated via SS7 trunking. The only reason
>>>> they are allowed to be exempt is that STIR/SHAKEN doesn't work well
>>>> on
>>>> an SS7 network. Since no one has been able to figure out a way to
>>>> solve that problem, they can't require them to be compliant. So if
>>>> any
>>>> portion of your network operates on VOIP, then you need to get a
>>>> STIR/SHAKEN certificate for that portion of your network.
>>>>
>>>> Sucks I know, but
>>>>
>>>>
>>>>
>>>> MARY LOU CAREY
>>>> BackUP Telecom Consulting
>>>> Office: 615-791-9969
>>>> Cell: 615-796-1111
>>>>
>>>> On 2023-06-01 09:23 PM, Nathan Anderson via VoiceOps wrote:
>>>>> Thanks both to you and Mary Lou for your thoughtful responses.
>>>>>
>>>>> Okay, so just to be clear, the remaining carriers for whom the June
>>>>> 2023 deadline applies to are providers who provide dialtone to
>>>>> end-users via POTS, but who originate at least some of the calls
>>>>> from
>>>>> those end-users to the PSTN via an IP peer/trunk, and it is
>>>>> specifically those calls that they now need to start signing but
>>>>> were
>>>>> exempt from doing so until a month from now? And the reason that
>>>>> they
>>>>> didn't have to implement a year ago (but pure IP-based
>>>>> interconnected
>>>>> VoIP providers with < 100K subs *did*) is because §
>>>>> 64.6304(a)(1)(i)
>>>>> only applies to "non-facilities-based" providers, and if a telecom
>>>>> is
>>>>> building and maintaining POTS circuits to end-users, they are
>>>>> facilities-based by definition?
>>>>>
>>>>> This gets us into the weeds on the definition of
>>>>> "facilities-based".
>>>>> I assume that the "facilities" in question must be facilities with
>>>>> traditional telecom switching equipment (either analog or TDM). So
>>>>> even if you run your own pure IP network end-to-end with no
>>>>> underlying
>>>>> leased circuits, and outright own your physical data centers where
>>>>> you
>>>>> house and run all of your own routers and SIP proxies, if 100% of
>>>>> your
>>>>> voice subscriber base is provisioned via VoIP, even if the
>>>>> end-user's
>>>>> VoIP equipment is talking to a server that you own, run, and
>>>>> maintain
>>>>> in your own data center "facilities", you still do not count as a
>>>>> "facilities-based" telecom, correct?
>>>>>
>>>>> Is there some "minimum" amount of actual TDM you can be running on
>>>>> your network in order for you to meet the definition of -- or claim
>>>>> for yourself the status of -- "facilities-based"? If someone had
>>>>> zero
>>>>> POTS circuits built to any of their end-users & all of their users
>>>>> are
>>>>> connected to their voice network via VoIP, but they have a single
>>>>> ICA
>>>>> with a single LEC, a TDM trunk between them and that LEC (where
>>>>> they
>>>>> immediately gateway the TDM traffic to/from IP as it ingresses or
>>>>> egresses their network), and a presence on the SS7 network...are
>>>>> they
>>>>> now considered to be "facilities-based"? And would they similarly
>>>>> have had all of their IP-trunked origination (calls that weren't
>>>>> going
>>>>> out via their TDM connection to the LEC) exempted until this year,
>>>>> if
>>>>> they had under 100K subs?
>>>>>
>>>>> As far as my question about white-labeling service goes, to be
>>>>> clear,
>>>>> we aren't in this category and have been signing our customers'
>>>>> calls
>>>>> with our own SHAKEN cert for the past year. But I know of plenty
>>>>> of
>>>>> other providers of similar size & scale (regional ISP whose bread
>>>>> and
>>>>> butter is internet connectivity, but with a small sprinkling of
>>>>> VoIP
>>>>> on top) who want to have a VoIP offering for various reasons, but
>>>>> simply outsource 100% of the VoIP component to a white-labeler.
>>>>> They
>>>>> bill the customer for the service, and presumably have a 499
>>>>> Filer-ID
>>>>> and file As and Qs with USAC, but they have nothing to do with the
>>>>> underlying voice service...ATAs get drop-shipped to customers from
>>>>> the
>>>>> white-labeler when service is ordered, the ISP doesn't have any
>>>>> hand
>>>>> in the provisioning, they don't operate a single SIP proxy or media
>>>>> gateway, they have zero numbering resources of their own and zero
>>>>> ICAs
>>>>> with other carriers, etc. It's like the interconnected VoIP
>>>>> equivalent to reselling an ILEC analog POTS line...they're just a
>>>>> middle-man when it comes to billing (and thus, as an indirect
>>>>> result,
>>>>> to collecting and remitting USF) and front-line support.
>>>>>
>>>>> Now of course, many wholesale origination providers these days
>>>>> support
>>>>> having you house your SHAKEN cert on their server & will sign your
>>>>> outgoing calls for you with your own cert, and even those that
>>>>> don't
>>>>> do this will still pass your own signature/Identity header in the
>>>>> SIP
>>>>> INVITEs you send to them unmolested. But to be able to do the
>>>>> latter,
>>>>> you need to be running a SIP proxy or B2BUA somewhere between the
>>>>> end-user and your wholesale provider, which these other providers
>>>>> I'm
>>>>> talking about aren't doing. And it's not at all clear to me that
>>>>> most?/many?/any? *white-label* interconnected VoIP providers are
>>>>> set
>>>>> up to do the former...they're all STIR/SHAKEN compliant of course,
>>>>> but
>>>>> I'd guess they are signing all of the calls they originate with
>>>>> their
>>>>> own cert.
>>>>>
>>>>> That's only an educated guess on my part, of course, since I've
>>>>> been
>>>>> looking around even after asking here, and have yet to find any
>>>>> first-
>>>>> or even second-hand accounts one way or the other.
>>>>>
>>>>> -- Nathan
>>>>>
>>>>> -----Original Message-----
>>>>> From: David Frankel [mailto:dfrankel at zipdx.com]
>>>>> Sent: Thursday, June 1, 2023 1:45 PM
>>>>> To: 'Mary Lou Carey'; Nathan Anderson
>>>>> Cc: 'Voice Ops'
>>>>> Subject: RE: [VoiceOps] All carriers must get their STIR/SHAKEN
>>>>> certificate by June 30th!
>>>>>
>>>>> I am not an attorney; this is not legal advice.
>>>>>
>>>>> The (primary) purpose of STIR/SHAKEN was not to help the ITG. The
>>>>> purposes
>>>>> are to (at the terminating or called-party end of the call)
>>>>> identify
>>>>> the
>>>>> entity responsible for originating the call, and allow that entity
>>>>> to
>>>>> signal
>>>>> what they know about the association between the caller and the
>>>>> calling
>>>>> number.
>>>>>
>>>>> We are just about to the point (end of this month) where virtually
>>>>> all
>>>>> providers are required to sign the calls they originate and send
>>>>> onward via
>>>>> IP. That includes providers that serve so-called POTS customers
>>>>> (when
>>>>> those
>>>>> POTS customers place calls sent via other providers). See 47 CFR §
>>>>> 64.6301(a)(2)
>>>>>
>>>>> This applies to the ORIGINATING provider. The expectation, as made
>>>>> clear in
>>>>> the implementing specs and regulations, is that the originating
>>>>> provider
>>>>> KNOWS who the caller is. ATIS says (ATIS-1000088): "Has a direct
>>>>> authenticated relationship with the customer and can identify the
>>>>> customer."
>>>>>
>>>>> If you are a reseller and you are the one with the "direct
>>>>> authenticated
>>>>> relationship with the customer" then your (A- or B-) signature
>>>>> should
>>>>> be on
>>>>> the calls. As noted, you can get a SHAKEN token and delegate the
>>>>> signing to
>>>>> your underlying provider. But it will be your name, and your
>>>>> reputation, on
>>>>> the calls.
>>>>>
>>>>> If you are an underlying provider and you do NOT know who the
>>>>> customer is,
>>>>> then insist that your reseller get a token and either sign the
>>>>> calls
>>>>> or
>>>>> delegate that to you (with their token). If you do not know
>>>>> anything
>>>>> about
>>>>> the caller, then you are risking your reputation (and perhaps more)
>>>>> by
>>>>> signing those calls.
>>>>>
>>>>> More of my thoughts on this topic are here:
>>>>> https://legalcallsonly.org/attestation-inflation-the-abcs-of-signing-calls/
>>>>>
>>>>> If you find the regulations confusing, your best bet is to play it
>>>>> safe.
>>>>> That would mean signing calls with your OWN token when your direct
>>>>> customer
>>>>> is the one initiating the calls (that is, they are the "caller" for
>>>>> legal
>>>>> purposes and they are going to take responsibility for conformance
>>>>> of
>>>>> the
>>>>> calls to ALL the applicable regulations -- and there are many,
>>>>> including
>>>>> TCPA, TSR, fraud, and state statutes). You, as the originating
>>>>> provider,
>>>>> still have a set of responsibilities here -- see 47 CFR §
>>>>> 64.1200(n)(3) as
>>>>> ONE EXAMPLE. If the calls come to you from an entity that is not
>>>>> the
>>>>> one
>>>>> initiating the calls, then insist that the calls are signed when
>>>>> you
>>>>> get
>>>>> them (or that your customer provides you with their token so you
>>>>> can
>>>>> affix
>>>>> their signature).
>>>>>
>>>>> As Mary Lou indicates, you are playing Russian roulette if you are
>>>>> originating calls and they do not bear your signature. And your
>>>>> underlying
>>>>> provider is doing the same if they are accepting those calls
>>>>> unsigned
>>>>> and
>>>>> sending them onward.
>>>>>
>>>>> The FCC has a Further Notice of Proposed Rulemaking that is open
>>>>> for
>>>>> comment
>>>>> RIGHT NOW on the topic of "Third-Party Caller ID Authentication."
>>>>> The
>>>>> FNPRM
>>>>> is available here:
>>>>> https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf.
>>>>> See starting at paragraph 97. Initial public comments on this FNPRM
>>>>> are due
>>>>> June 5 (Monday) and Reply Comments are due a month later. You'll be
>>>>> able to
>>>>> read (and file) comments here:
>>>>>
>>>> https://www.fcc.gov/ecfs/search/search-filings/results?q=(proceedings.name:(
>>>>> %2217-97%22)). Once comments are filed the FCC will likely issue an
>>>>> Order in
>>>>> due course, which may be clarifying or confusing or both or
>>>>> neither.
>>>>>
>>>>> David Frankel
>>>>> ZipDX® LLC
>>>>> St. George, UT USA
>>>>> Tel: 1-800-FRANKEL (1-800-372-6535)
>>>>> Visit My Robocall Blog
>>>>>
>>>>> -----Original Message-----
>>>>> From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Mary
>>>>> Lou
>>>>> Carey
>>>>> via VoiceOps
>>>>> Sent: Thursday, June 1, 2023 2:01 PM
>>>>> To: Nathan Anderson <nathana at fsr.com>
>>>>> Cc: Voice Ops <voiceops at voiceops.org>
>>>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>>>> certificate
>>>>> by June 30th!
>>>>>
>>>>> US telecom brain trust? Wow......I don't even know what to say, but
>>>>> I'm
>>>>> thinking I should send my 21-year-old your way because he thinks
>>>>> he's
>>>>> a lot
>>>>> smarter than I am. LOL!
>>>>>
>>>>> Im going to preface my response by saying I'm not sure anyone knows
>>>>> exactly
>>>>> what the ruling means because I've called the FCC and STI-GA
>>>>> multiple
>>>>> times
>>>>> to ask specific questions like yours. Any time my question gets too
>>>>> detailed, I've been told to go read the ruling myself because they
>>>>> aren't
>>>>> attorneys and don't want to give legal advice that would steer me
>>>>> in
>>>>> the
>>>>> wrong direction. I don't know of any attorneys that have felt so
>>>>> comfortable
>>>>> discussing the details of the network that they have gone out on a
>>>>> limb to
>>>>> explain it to everyone either, so I can only tell you what I think
>>>>> based on
>>>>> what I've been told to date.
>>>>>
>>>>> My understanding from talking to the FCC and STI-GA is that the
>>>>> purpose of
>>>>> STIR/SHAKEN was to help the ITG identify all the players in the
>>>>> industry so
>>>>> the ITG can more easily shut down the bad players and if necessary
>>>>> the
>>>>> providers that enable those bad players. To me, that means
>>>>> regardless
>>>>> of
>>>>> whether a company has its own network, leases another carrier's
>>>>> network, or
>>>>> resells services, the FCC wants to identify every player in the
>>>>> network. We
>>>>> can debate which networks are exempt and which networks aren't, but
>>>>> ultimately there's not a lot you can do if the powers that be
>>>>> decide
>>>>> your
>>>>> network should be compliant and it's not.
>>>>>
>>>>> The choice to get a STIR/SHAKEN certificate is ultimately up to
>>>>> each
>>>>> company. They can either play it safe and get a token or they can
>>>>> play
>>>>> Russian Roulette with their business and not get a token. To date,
>>>>> I've seen
>>>>> the FCC/ITG give non-compliant carriers 30 days to become
>>>>> compliant,
>>>>> but
>>>>> that's not always enough time. I don't know if that is going to
>>>>> change after
>>>>> the deadline, but it could. It's not that difficult to get your own
>>>>> certificate and if another carrier is already signing your calls
>>>>> it's
>>>>> not
>>>>> that much more cost-wise to have your own certificate. So to me
>>>>> it's
>>>>> better
>>>>> to be safe than sorry.
>>>>>
>>>>> I hope that helps,
>>>>>
>>>>> MARY LOU CAREY
>>>>> BackUP Telecom Consulting
>>>>> Office: 615-791-9969
>>>>> Cell: 615-796-1111
>>>>>
>>>>> On 2023-05-31 09:33 PM, Nathan Anderson via VoiceOps wrote:
>>>>>> I do find this a little confusing.
>>>>>>
>>>>>> It's already clear that POTS service has been made exempt "until
>>>>>> further notice". So when the small operators exemption deadline
>>>>>> was
>>>>>> pushed up from end of June 2023 to end of June 2022, that -- by
>>>>>> logical deduction -- could only have included small interconnected
>>>>>> VoIP operators (which I believe was made explicitly clear anyway,
>>>>>> but
>>>>>> even if it had been ambiguous in the language, ...).
>>>>>>
>>>>>> So, out of all the interconnected VoIP operators in the States
>>>>>> large
>>>>>> OR small...who the heck is left who HASN'T already been required
>>>>>> to
>>>>>> have it implemented on their network by this point?? I don't
>>>>>> understand who this June 2023 deadline applies to: the POTS
>>>>>> circuit
>>>>>> providers aren't covered by it, and all sizes of interconnected
>>>>>> VoIP
>>>>>> providers should have already implemented it a year ago at the
>>>>>> latest.
>>>>>>
>>>>>> Another question that occurs to me (I could probably find the
>>>>>> answer
>>>>>> to this question with a little searching, but since I'm already
>>>>>> here
>>>>>> talking to the U.S. telecom brain-trust): would a provider who
>>>>>> merely
>>>>>> supplies white-labeled service from another interconnected VoIP
>>>>>> provider and slaps their own name on it be required to obtain
>>>>>> their
>>>>>> own SHAKEN cert, and have the underlying VoIP provider sign any of
>>>>>> their customers' calls with that cert instead of a cert belonging
>>>>>> to
>>>>>> the actual VoIP provider, even if the white-labeler/reseller has
>>>>>> literally nothing to do with the network at all that services the
>>>>>> calls?
>>>>>>
>>>>>> -- Nathan
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of
>>>>>> Michael Graves via VoiceOps
>>>>>> Sent: Wednesday, May 31, 2023 1:12 PM
>>>>>> To: Mary Lou Carey; Alex Balashov
>>>>>> Cc: voiceops at voiceops.org
>>>>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>>>>> certificate by June 30th!
>>>>>>
>>>>>> There was an extension for "small" providers (under 100k lines)
>>>>>> ends
>>>>>> on June 30, 2023.
>>>>>>
>>>>>> That extension was basically was targeting rural LECs. It was
>>>>>> amended
>>>>>> so it only included those who have physical infrastructure to
>>>>>> their
>>>>>> clients.
>>>>>>
>>>>>> Those who do not operate such legacy infrastructure are supposed
>>>>>> to
>>>>>> be
>>>>>> signing their calls as of June 30, 2022.
>>>>>>
>>>>>> There are further "gateway" orders about how any operator is
>>>>>> supposed
>>>>>> to handle calls arriving on their network that are not signed.
>>>>>>
>>>>>> Michael Graves
>>>>>> mgraves at mstvp.com
>>>>>> o: (713) 861-4005
>>>>>> c: (713) 201-1262
>>>>>> sip:mgraves at mjg.onsip.com
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Mary
>>>>>> Lou
>>>>>> Carey via VoiceOps
>>>>>> Sent: Wednesday, May 31, 2023 2:46 PM
>>>>>> To: Alex Balashov <abalashov at evaristesys.com>
>>>>>> Cc: voiceops at voiceops.org
>>>>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>>>>> certificate by June 30th!
>>>>>> Importance: High
>>>>>>
>>>>>> Any carrier that provides originating VOIP or a combination of
>>>>>> originating VOIP / PSTN / Wireless VOICE services needs to get
>>>>>> its
>>>>>> own certificate. My understanding is that only those who provide
>>>>>> PSTN-only voice services do not need to have their own STIR/SHAKEN
>>>>>> token because the technology still does not support it.
>>>>>>
>>>>>> Mary Lou Carey
>>>>>> (615) 796-1111
>>>>>>
>>>>>> MARY LOU CAREY
>>>>>> BackUP Telecom Consulting
>>>>>> Office: 615-791-9969
>>>>>> Cell: 615-796-1111
>>>>>>
>>>>>> On 2023-05-31 02:11 PM, Alex Balashov wrote:
>>>>>>> Hi Mary Lou,
>>>>>>>
>>>>>>> Thank you for this.
>>>>>>>
>>>>>>> A stupid - and certainly belated - question: how exactly is a
>>>>>>> carrier
>>>>>>> defined, in the letter of the regulations underlying this
>>>>>>> deadline?
>>>>>>> Or to put it another way: who, as a VoIP service provider of one
>>>>>>> sort
>>>>>>> or another, _doesn't_ have to get their own token?
>>>>>>>
>>>>>>> -- Alex
>>>>>>>
>>>>>>>> On May 31, 2023, at 1:46 PM, Mary Lou Carey via VoiceOps
>>>>>>>> <voiceops at voiceops.org> wrote:
>>>>>>>>
>>>>>>>> Hey all,
>>>>>>>>
>>>>>>>> I just wanted to send out a reminder that the drop dead date for
>>>>>>>> all
>>>>>>>> carriers to get THEIR OWN STIR/SHAKEN certificate is coming up
>>>>>>>> on
>>>>>>>> June 30th. You can still have an underlying carrier sign your
>>>>>>>> calls
>>>>>>>> for you, but they must sign with YOUR token......not their own!
>>>>>>>> You
>>>>>>>> have to register with the STI-PA to start the process at this
>>>>>>>> link:
>>>>>>>>
>>>>>>>> https://authenticatereg.iconectiv.com/register
>>>>>>>>
>>>>>>>> You must have your own IPES Company Code (aka OCN) and 499 filer
>>>>>>>> ID
>>>>>>>> to get a STIR/SHAKEN certificate. Just getting the certificate
>>>>>>>> can
>>>>>>>> take up to several weeks so please don't wait until the last
>>>>>>>> minute
>>>>>>>> to get one. I would hate to see anyone's network get shut down
>>>>>>>> because they aren't signing their calls as per the FCC
>>>>>>>> guidelines.
>>>>>>>>
>>>>>>>> MARY LOU CAREY
>>>>>>>> BackUP Telecom Consulting
>>>>>>>> Office: 615-791-9969
>>>>>>>> Cell: 615-796-1111
>>>>>>>> _______________________________________________
>>>>>>>> VoiceOps mailing list
>>>>>>>> VoiceOps at voiceops.org
>>>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>> _______________________________________________
>>>>>> VoiceOps mailing list
>>>>>> VoiceOps at voiceops.org
>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>> _______________________________________________
>>>>>> VoiceOps mailing list
>>>>>> VoiceOps at voiceops.org
>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>> _______________________________________________
>>>>>> VoiceOps mailing list
>>>>>> VoiceOps at voiceops.org
>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>> _______________________________________________
>>>>> VoiceOps mailing list
>>>>> VoiceOps at voiceops.org
>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>> _______________________________________________
>>>>> VoiceOps mailing list
>>>>> VoiceOps at voiceops.org
>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>> _______________________________________________
>>>> VoiceOps mailing list
>>>> VoiceOps at voiceops.org
>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>
>>>
>>> ---------------------------------------------------------------------------
>>> Peter Beckman
>>> Internet
>>> Guy
>>> beckman at angryox.com
>>> https://www.angryox.com/
>>> ---------------------------------------------------------------------------
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
More information about the VoiceOps
mailing list