[VoiceOps] All carriers must get their STIR/SHAKEN certificate by June 30th!
Mary Lou Carey
marylou at backuptelecom.com
Thu Jun 8 15:52:05 EDT 2023
No you always need an IPES OCN to get an STI-PA Certificate. They may
not ask for it until you get to the STI-PA registration piece, but you
always need it because that's the code that identifies your company in
the network.
MARY LOU CAREY
BackUP Telecom Consulting
Office: 615-791-9969
Cell: 615-796-1111
On 2023-06-07 07:46 PM, Peter Beckman wrote:
> So if there is an Robocall Mitigation Database listing for the company,
> then one can get an STI-PA certificate without an OCN?
>
> I do not need/want NXXs directly.
>
> Beckman
>
> On Wed, 7 Jun 2023, Mary Lou Carey wrote:
>
>> Sorry for all the responses being in different threads but I noticed
>> different things in each e-mail.
>>
>> Last year I had a long conversation with both the FCC and STI-GA
>> before they made the decision to change the requirement to the
>> Robocall Mitigation Plan. I contacted them because I was running into
>> problems with the FCC approving Numbering Authorizations for
>> Interconnected VOIP carriers (IPES) that didn't want to order their
>> own NXXs. So I reached out to them to ask how a non-interconnected
>> VOIP carrier that didn't want NXXs was supposed to qualify for an
>> STI-PA certificate if they didn't approve their application.
>>
>> I found out that the STI-GA was the one that came up with the
>> Numbering Resources requirement and they didn't realize that a company
>> needed to have either an FCC or State Certification to get numbering
>> resources. The STI-GA told me their goal was to identify every carrier
>> that has a direct connection to an end-user customer, so that's why
>> they changed the requirement from qualifying for numbering resources
>> to the Robocall Mitigation Database. The Robocall Mitigation Database
>> allowed every carrier with a direct connection to an end user to
>> qualify for an STI-PA certificate.
>>
>> As I mentioned in my previous e-mail, the IPES OCN is the only one
>> that does NOT require an FCC License or State Certification. To get an
>> IPES OCN, NECA only requires that a carrier provide their articles of
>> incorporation, and both a contract with a customer and a contract with
>> an upstream provider.
>>
>>
>>
>> MARY LOU CAREY
>> BackUP Telecom Consulting
>> Office: 615-791-9969
>> Cell: 615-796-1111
>>
>> On 2023-06-06 07:53 PM, Nathan Anderson wrote:
>>> Also note that not all OCN types are accepted by STI-PA. Whatever
>>> OCN
>>> you supply to them MUST be of one of the types "that is eligible for
>>> Numbering Resource assignments" (page 3 @
>>> https://authenticate.iconectiv.com/sites/authenticate/files/2021-10/Service_Provider_Guidelines_Issue_6.pdf).
>>>
>>> So, for example, none of the reseller OCN types (e.g., LRSL) would be
>>> eligible.
>>>
>>> NECA provides a list of specific OCN types that are eligible for
>>> numbering resources here:
>>> https://www.neca.org/business-solutions/company-codes/company-code-request-instructions
>>>
>>> They list IPES among them, of course, but with the note that it's
>>> "only permitted with an FCC waiver".
>>>
>>> I believe it was this chain of logic (STI-PA only allows specific OCN
>>> types, NECA lists them, IPES is among them but specifically says you
>>> must get an FCC waiver) that led me to conclude that the FCC
>>> numbering
>>> authorization waiver was *still a requirement* specifically if you
>>> were going the *IPES* route. I have not been able to find anything
>>> that specifically exempts / rescinds this requirement.
>>>
>>> Note that you don't have to actually *have* or even *seek* your own
>>> numbering resources. You just have to be *eligible* to do so. The
>>> OCN type you have been granted serves as proof to the STI-PA that
>>> this
>>> is the case.
>>>
>>> -- Nathan
>>>
>>> -----Original Message-----
>>> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of
>>> Nathan Anderson via VoiceOps
>>> Sent: Tuesday, June 6, 2023 5:39 PM
>>> To: 'Mary Lou Carey'
>>> Cc: 'Voice Ops'
>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>> certificate by June 30th!
>>>
>>> That note about RMP vs. numbering authorization might be
>>> *technically*
>>> correct purely from the perspective of what the STI-PA themselves
>>> requires. But my understanding is that to obtain an IPES OCN, you
>>> still need to jump through the FCC numbering authorization hoops. So
>>> effectively, the requirement to petition the FCC for numbering
>>> authorization still applies to the vast majority of interconnected
>>> VoIP providers, *unless* you apply for an OCN type *other* than the
>>> IPES one. Would love to know if I'm misreading this..(I'll try to go
>>> back and refresh myself on what led me to this conclusion,
>>> too...perhaps the "9th hour" you refer to was so late that this
>>> change
>>> you are talking about didn't happen until well after June 1st of last
>>> year?)
>>>
>>> Also yes, if you apply for CLEC OCN, then that is done state by state
>>> and not nationally. We went this route because 1) we already had
>>> obtained CPCNs from the states we operate in some time ago, and just
>>> hadn't done anything with them 2) we have no plans to expand our
>>> local
>>> coverage area anytime soon, 3) we were concerned enough last year by
>>> the 30-day FCC comment period & whether we would get approval "in
>>> time", that CLEC OCNs seemed like they would actually be faster to
>>> obtain (since we could immediately apply to NECA for OCNs and not
>>> have
>>> to wait on the FCC at all for anything).
>>>
>>> The thing that made it a pain was just that initially NECA had
>>> quibbles with us about the copies of the CPCNs that we provided to
>>> them, and it took a bunch of back-and-forth communication and
>>> argumentation to convince them to accept them. Which they finally
>>> did, and in the end, it still took less than 30 days. And we had
>>> enough time to spare after that, that we were able to apply to the
>>> STI-PA, and finally to sign up with a SHAKEN CA and buy a cert, and
>>> bring the tech stack online on our side to support all of this new
>>> infrastructure, all before the June 30 deadline. Not sure we could
>>> have made it if we had been forced to go the IPES route instead (it
>>> would have been cutting it VERY close, assuming it would have even
>>> been possible).
>>>
>>> Again, this just had to do with our *particular* circumstances &
>>> timing at the time, so I'm not trying to advise that anybody else do
>>> it this way...in fact I'd actively join you in discouraging it. Go
>>> the IPES route if possible. The main problem is that if there is
>>> anybody at this point who isn't yet signing their calls, and they
>>> don't even have an OCN yet, well...we're now already into the first
>>> full week of June. So if my understanding is correct that
>>> specifically the *IPES* type OCN does still require numbering
>>> authorization thumbs-up from the FCC in order to obtain one, then it
>>> would be absolutely impossible for such an entity to meet the June 30
>>> 2023 deadline while pursuing that strategy.
>>>
>>> -- Nathan
>>>
>>> -----Original Message-----
>>> From: Mary Lou Carey [mailto:marylou at backuptelecom.com]
>>> Sent: Tuesday, June 6, 2023 2:23 PM
>>> To: Nathan Anderson
>>> Cc: Peter Beckman; 'Voice Ops'
>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>> certificate by June 30th!
>>>
>>> Just so you know there were a few changes made to the process in the
>>> 9th
>>> hour of the deadline last year. The Robocall Mitigation plan took the
>>> place of the requirement to get a VOIP numbering authorization from
>>> the
>>> FCC. So you just need to file a Robocall Mitigation Plan - not the
>>> FCC
>>> Numbering Authorization.
>>>
>>> Secondly, CLEC OCNs are assigned by state but if you're VOIP, one OCN
>>> (aka company code) is assigned for the whole country. The IPES OCN
>>> covers both interconnected VOIP and non-Interconnected VOIP. Clearly
>>> a
>>> mistake in my opinion because you can't tell a non-interconnected
>>> VOIP
>>> from an Interconnected VOIP but that's the way it is.
>>>
>>> You don't want to get a CLEC, Resale or ULEC OCN if you're a VOIP
>>> provider. It's most advantageous to get the IPES OCN.
>>>
>>> MARY LOU CAREY
>>> BackUP Telecom Consulting
>>> Office: 615-791-9969
>>> Cell: 615-796-1111
>>>
>>> On 2023-06-02 06:09 PM, Nathan Anderson wrote:
>>>> Mary's right: there are a lot of moving parts and "hidden costs" to
>>>> doing this. What follows is largely a "brain dump" on what I know
>>>> based on what we went through last year.
>>>>
>>>> Presumably if you are here on VoiceOps and asking about getting a
>>>> cert, you likely are a 499 filer already.
>>>>
>>>> On top of that, though, as pointed out, you need a STI-PA token
>>>> issued
>>>> to you by the Policy Administrator in order to request a SHAKEN cert
>>>> from one of the approved vendors...the STI-PA essentially "vets" you
>>>> as an eligible telecom in advance, and then issues you a token,
>>>> which
>>>> you in turn have to submit to your SHAKEN CA vendor of choice when
>>>> you
>>>> apply to them for a cert. The CA has to validate the token you
>>>> submitted before they can issue the certificate to you. Unlike with
>>>> the SHAKEN cert, which is similar to a SSL/TLS cert in that there
>>>> are
>>>> many certificate authorities competing with one another for your
>>>> business, the STI-PA contract has been awarded to a single company:
>>>> iconectiv. You need to go to them and get set up in their system.
>>>>
>>>> In order to be approved by the STI-PA, though, you need to have an
>>>> OCN
>>>> issued to your company if you don't have one already. The
>>>> STI-PA/iconectiv will ask you for this when you sign up with them,
>>>> and
>>>> you can't proceed without one. The company that administers all OCN
>>>> assignments is NECA.
>>>>
>>>> As far as costs go, the OCN allocation is a one-time fee, and the
>>>> prices are published here:
>>>> https://www.neca.org/business-solutions/company-codes ...the STI-PA
>>>> fees are annual and based on your telecom revenues as reported on
>>>> your
>>>> most recent 499A filing. I can't remember the exact number, but I
>>>> want to say it's a very small percentage, perhaps even under 1%.
>>>> But
>>>> of course there is some "minimum" absolute $ number that it will
>>>> never
>>>> be lower than, heh. (Quickly looked that up; looks like that
>>>> minimum
>>>> annual figure is $825.) Then there are of course whatever costs you
>>>> have to pay to consultants or lawyers to help you put all of these
>>>> puzzle pieces together, which I think was what Mary was largely
>>>> addressing.
>>>>
>>>> I think what Peter was specifically asking about, though, was the
>>>> cost
>>>> for the actual SHAKEN certificate itself, and what vendor to use for
>>>> that. iconectiv maintains an up-to-date list of approved SHAKEN CAs
>>>> that you can pick from:
>>>> https://authenticate.iconectiv.com/approved-certification-authorities
>>>> Vast majority of them don't like to publish their prices & you have
>>>> to
>>>> ask. From the research I did last year, pricing basically starts at
>>>> ~$1,000/year, and that's on the LOW side: the average annual price
>>>> is
>>>> actually much higher than that from most CAs. What I can tell you
>>>> is
>>>> that we chose to go with Sansay. Theirs was not only the lowest
>>>> price
>>>> by far, but their system and policies were also the most reasonable
>>>> out of all the SHAKEN CAs that I talked to by a *mile*. (As just
>>>> one
>>>> example, you essentially get unlimited cert reissues during the
>>>> year,
>>>> while many other CAs will charge you if you need to revoke a
>>>> compromised cert and request a new one.) They went WELL out of
>>>> their
>>>> way to help me get onboarded and running, too. Can't say enough
>>>> good
>>>> things about them; just everything about the experience of working
>>>> with them has been top-notch. It's almost like they actually wanted
>>>> my business!! I recommend reaching out to Carlos Perez w/ Sansay
>>>> (you
>>>> can find him hanging out here @ VoiceOps)...he is the man.
>>>>
>>>> From just a purely pain-in-the-tuchus perspective, the most
>>>> difficult
>>>> process to get through of all the aforementioned ones was definitely
>>>> obtaining our OCN allocation. But that could just be because of our
>>>> particular unique circumstances...we chose to tackle it ourselves
>>>> rather than farm it out, and we applied as a CLEC. If you are
>>>> purely
>>>> an interconnected VoIP provider, though, and not an actual CLEC, I
>>>> have to imagine that taking the IPES "golden path" is going to prove
>>>> to be much less of a hassle. This will require that you apply to
>>>> the
>>>> FCC for a "VoIP Numbering Authorization" before you apply for your
>>>> OCN:
>>>> https://www.fcc.gov/wireline-competition/competition-policy-division/numbering-resources/general/voip-numbering
>>>> -- do note that this has an inherent 30-day built-in wait time,
>>>> since
>>>> the FCC requires that your application be open to public comment for
>>>> a
>>>> 30 day period before they make a ruling. Which means,
>>>> unfortunately,
>>>> that if you haven't already started this process by this point, you
>>>> aren't going to be able to obtain your OCN before June 30, much less
>>>> an actual SHAKEN cert.
>>>>
>>>> Once you finally have your OCN, you also need to make sure you have
>>>> a
>>>> documented robocall mitigation plan filed with the FCC at
>>>> https://fccprod.servicenowservices.com/rmd?id=rmd_welcome before
>>>> iconectiv will get you set up on the STI-PA side. Also, once you
>>>> finally have your SHAKEN cert and are actively signing calls, you
>>>> need
>>>> to go back to the FCC robocall mitigation database and update your
>>>> entry in the database to reflect the fact that you are now
>>>> STIR/SHAKEN
>>>> compliant.
>>>>
>>>> On the tech stack side, you need to host your SHAKEN cert on a
>>>> public
>>>> server so that other telecoms who receive calls from your users can
>>>> validate that the calls that you are signing are indeed authentic.
>>>> And your outgoing calls need to include a new field within the SIP
>>>> headers called "Identity", which is a Base64-encoded version of the
>>>> signature for that particular call (signed by your private key),
>>>> along
>>>> with the URL pointing at your public cert (which is also embedded
>>>> within the encrypted signature, so when it's decrypted and the two
>>>> match, that validates that the public cert located at that URL is
>>>> indeed yours). The payload of the "Identity" header is called a
>>>> PASSporT (yet another in a series of groan-worthy backronyms...)
>>>>
>>>> Virtually all of the SHAKEN cert providers also offer end-to-end
>>>> solutions for VoIP providers that take care of all of this for you:
>>>> they'll host your public cert for you on their servers, and many
>>>> even
>>>> offer a cloud API or SIP proxy service that will sign your calls for
>>>> you (by also storing your private key in a secure location on their
>>>> side & either generating the Identity header for your and sending it
>>>> back to you so that you can include it in the call, or by having you
>>>> send your SIP INVITEs to their proxy where they'll just add it to
>>>> the
>>>> SIP header for you before they pass the INVITE on to your
>>>> termination
>>>> provider). Of course, all these extra services often have
>>>> additional
>>>> costs associated with them. Once again, we elected to implement our
>>>> own solution, and I based it largely on Signalwire's open source
>>>> "libstirshaken" codebase:
>>>> https://github.com/signalwire/libstirshaken
>>>> -- this can integrate directly with FreeSwitch if that's what you
>>>> use,
>>>> but in our case I just built the included command-line "stirshaken"
>>>> demo utility, and shell out to that to generate the PASSporTs which
>>>> then get added to the SIP header for our outgoing INVITEs.
>>>>
>>>> Hope that at least some part of this proves helpful, and good luck,
>>>>
>>>> -- Nathan
>>>>
>>>> -----Original Message-----
>>>> From: Mary Lou Carey [mailto:marylou at backuptelecom.com]
>>>> Sent: Friday, June 2, 2023 1:16 PM
>>>> To: Peter Beckman
>>>> Cc: Nathan Anderson; 'Voice Ops'
>>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>>> certificate by June 30th!
>>>>
>>>> I can only give you a ballpark price because it depends on what you
>>>> need
>>>> to be done. You need to have an OCN, 499 filer ID, and Robocall
>>>> Mitigation plan in place before you can apply for the STI-PA. If
>>>> you
>>>> have those in place already the cost is obviously less.
>>>>
>>>> I have someone that does the filings for my clients. If a company
>>>> needs
>>>> everything she charges between $1200-$1500 range not including the
>>>> NECA
>>>> fee for the OCN. If the company already has everything except the
>>>> STI-PA
>>>> registration then you're looking in the $300 - $500 range. The
>>>> variance
>>>> in cost just depends on whether or not there are any issues with
>>>> your
>>>> 499 status.
>>>>
>>>> MARY LOU CAREY
>>>> BackUP Telecom Consulting
>>>> Office: 615-791-9969
>>>> Cell: 615-796-1111
>>>>
>>>> On 2023-06-02 02:48 PM, Peter Beckman wrote:
>>>>> What is the most affordable and fast way to get a cert? E.g. how
>>>>> much
>>>>> should one pay, and to whom?
>>>>>
>>>>> On Fri, 2 Jun 2023, Mary Lou Carey via VoiceOps wrote:
>>>>>
>>>>>> VOIP carriers were not typically considered facilities-based
>>>>>> because
>>>>>> they didn't have their own switch, circuits, or NXXs connected to
>>>>>> the
>>>>>> ILECs. Now they can get their own NXXs if they get numbering
>>>>>> authorization from the FCC, but their PSTN connections still have
>>>>>> to
>>>>>> ride another carrier's network to be connected to the ILEC so they
>>>>>> still fall under non-Facilities based like resellers do.
>>>>>>
>>>>>> The only companies that are still exempt are the ones whose entire
>>>>>> networks are completely operated via SS7 trunking. The only reason
>>>>>> they are allowed to be exempt is that STIR/SHAKEN doesn't work
>>>>>> well
>>>>>> on
>>>>>> an SS7 network. Since no one has been able to figure out a way to
>>>>>> solve that problem, they can't require them to be compliant. So if
>>>>>> any
>>>>>> portion of your network operates on VOIP, then you need to get a
>>>>>> STIR/SHAKEN certificate for that portion of your network.
>>>>>>
>>>>>> Sucks I know, but
>>>>>>
>>>>>>
>>>>>>
>>>>>> MARY LOU CAREY
>>>>>> BackUP Telecom Consulting
>>>>>> Office: 615-791-9969
>>>>>> Cell: 615-796-1111
>>>>>>
>>>>>> On 2023-06-01 09:23 PM, Nathan Anderson via VoiceOps wrote:
>>>>>>> Thanks both to you and Mary Lou for your thoughtful responses.
>>>>>>>
>>>>>>> Okay, so just to be clear, the remaining carriers for whom the
>>>>>>> June
>>>>>>> 2023 deadline applies to are providers who provide dialtone to
>>>>>>> end-users via POTS, but who originate at least some of the calls
>>>>>>> from
>>>>>>> those end-users to the PSTN via an IP peer/trunk, and it is
>>>>>>> specifically those calls that they now need to start signing but
>>>>>>> were
>>>>>>> exempt from doing so until a month from now? And the reason that
>>>>>>> they
>>>>>>> didn't have to implement a year ago (but pure IP-based
>>>>>>> interconnected
>>>>>>> VoIP providers with < 100K subs *did*) is because §
>>>>>>> 64.6304(a)(1)(i)
>>>>>>> only applies to "non-facilities-based" providers, and if a
>>>>>>> telecom
>>>>>>> is
>>>>>>> building and maintaining POTS circuits to end-users, they are
>>>>>>> facilities-based by definition?
>>>>>>>
>>>>>>> This gets us into the weeds on the definition of
>>>>>>> "facilities-based".
>>>>>>> I assume that the "facilities" in question must be facilities
>>>>>>> with
>>>>>>> traditional telecom switching equipment (either analog or TDM).
>>>>>>> So
>>>>>>> even if you run your own pure IP network end-to-end with no
>>>>>>> underlying
>>>>>>> leased circuits, and outright own your physical data centers
>>>>>>> where
>>>>>>> you
>>>>>>> house and run all of your own routers and SIP proxies, if 100% of
>>>>>>> your
>>>>>>> voice subscriber base is provisioned via VoIP, even if the
>>>>>>> end-user's
>>>>>>> VoIP equipment is talking to a server that you own, run, and
>>>>>>> maintain
>>>>>>> in your own data center "facilities", you still do not count as a
>>>>>>> "facilities-based" telecom, correct?
>>>>>>>
>>>>>>> Is there some "minimum" amount of actual TDM you can be running
>>>>>>> on
>>>>>>> your network in order for you to meet the definition of -- or
>>>>>>> claim
>>>>>>> for yourself the status of -- "facilities-based"? If someone had
>>>>>>> zero
>>>>>>> POTS circuits built to any of their end-users & all of their
>>>>>>> users
>>>>>>> are
>>>>>>> connected to their voice network via VoIP, but they have a single
>>>>>>> ICA
>>>>>>> with a single LEC, a TDM trunk between them and that LEC (where
>>>>>>> they
>>>>>>> immediately gateway the TDM traffic to/from IP as it ingresses or
>>>>>>> egresses their network), and a presence on the SS7 network...are
>>>>>>> they
>>>>>>> now considered to be "facilities-based"? And would they
>>>>>>> similarly
>>>>>>> have had all of their IP-trunked origination (calls that weren't
>>>>>>> going
>>>>>>> out via their TDM connection to the LEC) exempted until this
>>>>>>> year,
>>>>>>> if
>>>>>>> they had under 100K subs?
>>>>>>>
>>>>>>> As far as my question about white-labeling service goes, to be
>>>>>>> clear,
>>>>>>> we aren't in this category and have been signing our customers'
>>>>>>> calls
>>>>>>> with our own SHAKEN cert for the past year. But I know of plenty
>>>>>>> of
>>>>>>> other providers of similar size & scale (regional ISP whose bread
>>>>>>> and
>>>>>>> butter is internet connectivity, but with a small sprinkling of
>>>>>>> VoIP
>>>>>>> on top) who want to have a VoIP offering for various reasons, but
>>>>>>> simply outsource 100% of the VoIP component to a white-labeler.
>>>>>>> They
>>>>>>> bill the customer for the service, and presumably have a 499
>>>>>>> Filer-ID
>>>>>>> and file As and Qs with USAC, but they have nothing to do with
>>>>>>> the
>>>>>>> underlying voice service...ATAs get drop-shipped to customers
>>>>>>> from
>>>>>>> the
>>>>>>> white-labeler when service is ordered, the ISP doesn't have any
>>>>>>> hand
>>>>>>> in the provisioning, they don't operate a single SIP proxy or
>>>>>>> media
>>>>>>> gateway, they have zero numbering resources of their own and zero
>>>>>>> ICAs
>>>>>>> with other carriers, etc. It's like the interconnected VoIP
>>>>>>> equivalent to reselling an ILEC analog POTS line...they're just a
>>>>>>> middle-man when it comes to billing (and thus, as an indirect
>>>>>>> result,
>>>>>>> to collecting and remitting USF) and front-line support.
>>>>>>>
>>>>>>> Now of course, many wholesale origination providers these days
>>>>>>> support
>>>>>>> having you house your SHAKEN cert on their server & will sign
>>>>>>> your
>>>>>>> outgoing calls for you with your own cert, and even those that
>>>>>>> don't
>>>>>>> do this will still pass your own signature/Identity header in the
>>>>>>> SIP
>>>>>>> INVITEs you send to them unmolested. But to be able to do the
>>>>>>> latter,
>>>>>>> you need to be running a SIP proxy or B2BUA somewhere between the
>>>>>>> end-user and your wholesale provider, which these other providers
>>>>>>> I'm
>>>>>>> talking about aren't doing. And it's not at all clear to me that
>>>>>>> most?/many?/any? *white-label* interconnected VoIP providers are
>>>>>>> set
>>>>>>> up to do the former...they're all STIR/SHAKEN compliant of
>>>>>>> course,
>>>>>>> but
>>>>>>> I'd guess they are signing all of the calls they originate with
>>>>>>> their
>>>>>>> own cert.
>>>>>>>
>>>>>>> That's only an educated guess on my part, of course, since I've
>>>>>>> been
>>>>>>> looking around even after asking here, and have yet to find any
>>>>>>> first-
>>>>>>> or even second-hand accounts one way or the other.
>>>>>>>
>>>>>>> -- Nathan
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: David Frankel [mailto:dfrankel at zipdx.com]
>>>>>>> Sent: Thursday, June 1, 2023 1:45 PM
>>>>>>> To: 'Mary Lou Carey'; Nathan Anderson
>>>>>>> Cc: 'Voice Ops'
>>>>>>> Subject: RE: [VoiceOps] All carriers must get their STIR/SHAKEN
>>>>>>> certificate by June 30th!
>>>>>>>
>>>>>>> I am not an attorney; this is not legal advice.
>>>>>>>
>>>>>>> The (primary) purpose of STIR/SHAKEN was not to help the ITG. The
>>>>>>> purposes
>>>>>>> are to (at the terminating or called-party end of the call)
>>>>>>> identify
>>>>>>> the
>>>>>>> entity responsible for originating the call, and allow that
>>>>>>> entity
>>>>>>> to
>>>>>>> signal
>>>>>>> what they know about the association between the caller and the
>>>>>>> calling
>>>>>>> number.
>>>>>>>
>>>>>>> We are just about to the point (end of this month) where
>>>>>>> virtually
>>>>>>> all
>>>>>>> providers are required to sign the calls they originate and send
>>>>>>> onward via
>>>>>>> IP. That includes providers that serve so-called POTS customers
>>>>>>> (when
>>>>>>> those
>>>>>>> POTS customers place calls sent via other providers). See 47 CFR
>>>>>>> §
>>>>>>> 64.6301(a)(2)
>>>>>>>
>>>>>>> This applies to the ORIGINATING provider. The expectation, as
>>>>>>> made
>>>>>>> clear in
>>>>>>> the implementing specs and regulations, is that the originating
>>>>>>> provider
>>>>>>> KNOWS who the caller is. ATIS says (ATIS-1000088): "Has a direct
>>>>>>> authenticated relationship with the customer and can identify the
>>>>>>> customer."
>>>>>>>
>>>>>>> If you are a reseller and you are the one with the "direct
>>>>>>> authenticated
>>>>>>> relationship with the customer" then your (A- or B-) signature
>>>>>>> should
>>>>>>> be on
>>>>>>> the calls. As noted, you can get a SHAKEN token and delegate the
>>>>>>> signing to
>>>>>>> your underlying provider. But it will be your name, and your
>>>>>>> reputation, on
>>>>>>> the calls.
>>>>>>>
>>>>>>> If you are an underlying provider and you do NOT know who the
>>>>>>> customer is,
>>>>>>> then insist that your reseller get a token and either sign the
>>>>>>> calls
>>>>>>> or
>>>>>>> delegate that to you (with their token). If you do not know
>>>>>>> anything
>>>>>>> about
>>>>>>> the caller, then you are risking your reputation (and perhaps
>>>>>>> more)
>>>>>>> by
>>>>>>> signing those calls.
>>>>>>>
>>>>>>> More of my thoughts on this topic are here:
>>>>>>> https://legalcallsonly.org/attestation-inflation-the-abcs-of-signing-calls/
>>>>>>>
>>>>>>> If you find the regulations confusing, your best bet is to play
>>>>>>> it
>>>>>>> safe.
>>>>>>> That would mean signing calls with your OWN token when your
>>>>>>> direct
>>>>>>> customer
>>>>>>> is the one initiating the calls (that is, they are the "caller"
>>>>>>> for
>>>>>>> legal
>>>>>>> purposes and they are going to take responsibility for
>>>>>>> conformance
>>>>>>> of
>>>>>>> the
>>>>>>> calls to ALL the applicable regulations -- and there are many,
>>>>>>> including
>>>>>>> TCPA, TSR, fraud, and state statutes). You, as the originating
>>>>>>> provider,
>>>>>>> still have a set of responsibilities here -- see 47 CFR §
>>>>>>> 64.1200(n)(3) as
>>>>>>> ONE EXAMPLE. If the calls come to you from an entity that is not
>>>>>>> the
>>>>>>> one
>>>>>>> initiating the calls, then insist that the calls are signed when
>>>>>>> you
>>>>>>> get
>>>>>>> them (or that your customer provides you with their token so you
>>>>>>> can
>>>>>>> affix
>>>>>>> their signature).
>>>>>>>
>>>>>>> As Mary Lou indicates, you are playing Russian roulette if you
>>>>>>> are
>>>>>>> originating calls and they do not bear your signature. And your
>>>>>>> underlying
>>>>>>> provider is doing the same if they are accepting those calls
>>>>>>> unsigned
>>>>>>> and
>>>>>>> sending them onward.
>>>>>>>
>>>>>>> The FCC has a Further Notice of Proposed Rulemaking that is open
>>>>>>> for
>>>>>>> comment
>>>>>>> RIGHT NOW on the topic of "Third-Party Caller ID Authentication."
>>>>>>> The
>>>>>>> FNPRM
>>>>>>> is available here:
>>>>>>> https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf.
>>>>>>> See starting at paragraph 97. Initial public comments on this
>>>>>>> FNPRM
>>>>>>> are due
>>>>>>> June 5 (Monday) and Reply Comments are due a month later. You'll
>>>>>>> be
>>>>>>> able to
>>>>>>> read (and file) comments here:
>>>>>>>
>>>>>> https://www.fcc.gov/ecfs/search/search-filings/results?q=(proceedings.name:(
>>>>>>> %2217-97%22)). Once comments are filed the FCC will likely issue
>>>>>>> an
>>>>>>> Order in
>>>>>>> due course, which may be clarifying or confusing or both or
>>>>>>> neither.
>>>>>>>
>>>>>>> David Frankel
>>>>>>> ZipDX® LLC
>>>>>>> St. George, UT USA
>>>>>>> Tel: 1-800-FRANKEL (1-800-372-6535)
>>>>>>> Visit My Robocall Blog
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Mary
>>>>>>> Lou
>>>>>>> Carey
>>>>>>> via VoiceOps
>>>>>>> Sent: Thursday, June 1, 2023 2:01 PM
>>>>>>> To: Nathan Anderson <nathana at fsr.com>
>>>>>>> Cc: Voice Ops <voiceops at voiceops.org>
>>>>>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>>>>>> certificate
>>>>>>> by June 30th!
>>>>>>>
>>>>>>> US telecom brain trust? Wow......I don't even know what to say,
>>>>>>> but
>>>>>>> I'm
>>>>>>> thinking I should send my 21-year-old your way because he thinks
>>>>>>> he's
>>>>>>> a lot
>>>>>>> smarter than I am. LOL!
>>>>>>>
>>>>>>> Im going to preface my response by saying I'm not sure anyone
>>>>>>> knows
>>>>>>> exactly
>>>>>>> what the ruling means because I've called the FCC and STI-GA
>>>>>>> multiple
>>>>>>> times
>>>>>>> to ask specific questions like yours. Any time my question gets
>>>>>>> too
>>>>>>> detailed, I've been told to go read the ruling myself because
>>>>>>> they
>>>>>>> aren't
>>>>>>> attorneys and don't want to give legal advice that would steer me
>>>>>>> in
>>>>>>> the
>>>>>>> wrong direction. I don't know of any attorneys that have felt so
>>>>>>> comfortable
>>>>>>> discussing the details of the network that they have gone out on
>>>>>>> a
>>>>>>> limb to
>>>>>>> explain it to everyone either, so I can only tell you what I
>>>>>>> think
>>>>>>> based on
>>>>>>> what I've been told to date.
>>>>>>>
>>>>>>> My understanding from talking to the FCC and STI-GA is that the
>>>>>>> purpose of
>>>>>>> STIR/SHAKEN was to help the ITG identify all the players in the
>>>>>>> industry so
>>>>>>> the ITG can more easily shut down the bad players and if
>>>>>>> necessary
>>>>>>> the
>>>>>>> providers that enable those bad players. To me, that means
>>>>>>> regardless
>>>>>>> of
>>>>>>> whether a company has its own network, leases another carrier's
>>>>>>> network, or
>>>>>>> resells services, the FCC wants to identify every player in the
>>>>>>> network. We
>>>>>>> can debate which networks are exempt and which networks aren't,
>>>>>>> but
>>>>>>> ultimately there's not a lot you can do if the powers that be
>>>>>>> decide
>>>>>>> your
>>>>>>> network should be compliant and it's not.
>>>>>>>
>>>>>>> The choice to get a STIR/SHAKEN certificate is ultimately up to
>>>>>>> each
>>>>>>> company. They can either play it safe and get a token or they can
>>>>>>> play
>>>>>>> Russian Roulette with their business and not get a token. To
>>>>>>> date,
>>>>>>> I've seen
>>>>>>> the FCC/ITG give non-compliant carriers 30 days to become
>>>>>>> compliant,
>>>>>>> but
>>>>>>> that's not always enough time. I don't know if that is going to
>>>>>>> change after
>>>>>>> the deadline, but it could. It's not that difficult to get your
>>>>>>> own
>>>>>>> certificate and if another carrier is already signing your calls
>>>>>>> it's
>>>>>>> not
>>>>>>> that much more cost-wise to have your own certificate. So to me
>>>>>>> it's
>>>>>>> better
>>>>>>> to be safe than sorry.
>>>>>>>
>>>>>>> I hope that helps,
>>>>>>>
>>>>>>> MARY LOU CAREY
>>>>>>> BackUP Telecom Consulting
>>>>>>> Office: 615-791-9969
>>>>>>> Cell: 615-796-1111
>>>>>>>
>>>>>>> On 2023-05-31 09:33 PM, Nathan Anderson via VoiceOps wrote:
>>>>>>>> I do find this a little confusing.
>>>>>>>>
>>>>>>>> It's already clear that POTS service has been made exempt "until
>>>>>>>> further notice". So when the small operators exemption deadline
>>>>>>>> was
>>>>>>>> pushed up from end of June 2023 to end of June 2022, that -- by
>>>>>>>> logical deduction -- could only have included small
>>>>>>>> interconnected
>>>>>>>> VoIP operators (which I believe was made explicitly clear
>>>>>>>> anyway,
>>>>>>>> but
>>>>>>>> even if it had been ambiguous in the language, ...).
>>>>>>>>
>>>>>>>> So, out of all the interconnected VoIP operators in the States
>>>>>>>> large
>>>>>>>> OR small...who the heck is left who HASN'T already been required
>>>>>>>> to
>>>>>>>> have it implemented on their network by this point?? I don't
>>>>>>>> understand who this June 2023 deadline applies to: the POTS
>>>>>>>> circuit
>>>>>>>> providers aren't covered by it, and all sizes of interconnected
>>>>>>>> VoIP
>>>>>>>> providers should have already implemented it a year ago at the
>>>>>>>> latest.
>>>>>>>>
>>>>>>>> Another question that occurs to me (I could probably find the
>>>>>>>> answer
>>>>>>>> to this question with a little searching, but since I'm already
>>>>>>>> here
>>>>>>>> talking to the U.S. telecom brain-trust): would a provider who
>>>>>>>> merely
>>>>>>>> supplies white-labeled service from another interconnected VoIP
>>>>>>>> provider and slaps their own name on it be required to obtain
>>>>>>>> their
>>>>>>>> own SHAKEN cert, and have the underlying VoIP provider sign any
>>>>>>>> of
>>>>>>>> their customers' calls with that cert instead of a cert
>>>>>>>> belonging
>>>>>>>> to
>>>>>>>> the actual VoIP provider, even if the white-labeler/reseller has
>>>>>>>> literally nothing to do with the network at all that services
>>>>>>>> the
>>>>>>>> calls?
>>>>>>>>
>>>>>>>> -- Nathan
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf
>>>>>>>> Of
>>>>>>>> Michael Graves via VoiceOps
>>>>>>>> Sent: Wednesday, May 31, 2023 1:12 PM
>>>>>>>> To: Mary Lou Carey; Alex Balashov
>>>>>>>> Cc: voiceops at voiceops.org
>>>>>>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>>>>>>> certificate by June 30th!
>>>>>>>>
>>>>>>>> There was an extension for "small" providers (under 100k lines)
>>>>>>>> ends
>>>>>>>> on June 30, 2023.
>>>>>>>>
>>>>>>>> That extension was basically was targeting rural LECs. It was
>>>>>>>> amended
>>>>>>>> so it only included those who have physical infrastructure to
>>>>>>>> their
>>>>>>>> clients.
>>>>>>>>
>>>>>>>> Those who do not operate such legacy infrastructure are supposed
>>>>>>>> to
>>>>>>>> be
>>>>>>>> signing their calls as of June 30, 2022.
>>>>>>>>
>>>>>>>> There are further "gateway" orders about how any operator is
>>>>>>>> supposed
>>>>>>>> to handle calls arriving on their network that are not signed.
>>>>>>>>
>>>>>>>> Michael Graves
>>>>>>>> mgraves at mstvp.com
>>>>>>>> o: (713) 861-4005
>>>>>>>> c: (713) 201-1262
>>>>>>>> sip:mgraves at mjg.onsip.com
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Mary
>>>>>>>> Lou
>>>>>>>> Carey via VoiceOps
>>>>>>>> Sent: Wednesday, May 31, 2023 2:46 PM
>>>>>>>> To: Alex Balashov <abalashov at evaristesys.com>
>>>>>>>> Cc: voiceops at voiceops.org
>>>>>>>> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN
>>>>>>>> certificate by June 30th!
>>>>>>>> Importance: High
>>>>>>>>
>>>>>>>> Any carrier that provides originating VOIP or a combination of
>>>>>>>> originating VOIP / PSTN / Wireless VOICE services needs to get
>>>>>>>> its
>>>>>>>> own certificate. My understanding is that only those who provide
>>>>>>>> PSTN-only voice services do not need to have their own
>>>>>>>> STIR/SHAKEN
>>>>>>>> token because the technology still does not support it.
>>>>>>>>
>>>>>>>> Mary Lou Carey
>>>>>>>> (615) 796-1111
>>>>>>>>
>>>>>>>> MARY LOU CAREY
>>>>>>>> BackUP Telecom Consulting
>>>>>>>> Office: 615-791-9969
>>>>>>>> Cell: 615-796-1111
>>>>>>>>
>>>>>>>> On 2023-05-31 02:11 PM, Alex Balashov wrote:
>>>>>>>>> Hi Mary Lou,
>>>>>>>>>
>>>>>>>>> Thank you for this.
>>>>>>>>>
>>>>>>>>> A stupid - and certainly belated - question: how exactly is a
>>>>>>>>> carrier
>>>>>>>>> defined, in the letter of the regulations underlying this
>>>>>>>>> deadline?
>>>>>>>>> Or to put it another way: who, as a VoIP service provider of
>>>>>>>>> one
>>>>>>>>> sort
>>>>>>>>> or another, _doesn't_ have to get their own token?
>>>>>>>>>
>>>>>>>>> -- Alex
>>>>>>>>>
>>>>>>>>>> On May 31, 2023, at 1:46 PM, Mary Lou Carey via VoiceOps
>>>>>>>>>> <voiceops at voiceops.org> wrote:
>>>>>>>>>>
>>>>>>>>>> Hey all,
>>>>>>>>>>
>>>>>>>>>> I just wanted to send out a reminder that the drop dead date
>>>>>>>>>> for
>>>>>>>>>> all
>>>>>>>>>> carriers to get THEIR OWN STIR/SHAKEN certificate is coming up
>>>>>>>>>> on
>>>>>>>>>> June 30th. You can still have an underlying carrier sign your
>>>>>>>>>> calls
>>>>>>>>>> for you, but they must sign with YOUR token......not their
>>>>>>>>>> own!
>>>>>>>>>> You
>>>>>>>>>> have to register with the STI-PA to start the process at this
>>>>>>>>>> link:
>>>>>>>>>>
>>>>>>>>>> https://authenticatereg.iconectiv.com/register
>>>>>>>>>>
>>>>>>>>>> You must have your own IPES Company Code (aka OCN) and 499
>>>>>>>>>> filer
>>>>>>>>>> ID
>>>>>>>>>> to get a STIR/SHAKEN certificate. Just getting the certificate
>>>>>>>>>> can
>>>>>>>>>> take up to several weeks so please don't wait until the last
>>>>>>>>>> minute
>>>>>>>>>> to get one. I would hate to see anyone's network get shut down
>>>>>>>>>> because they aren't signing their calls as per the FCC
>>>>>>>>>> guidelines.
>>>>>>>>>>
>>>>>>>>>> MARY LOU CAREY
>>>>>>>>>> BackUP Telecom Consulting
>>>>>>>>>> Office: 615-791-9969
>>>>>>>>>> Cell: 615-796-1111
>>>>>>>>>> _______________________________________________
>>>>>>>>>> VoiceOps mailing list
>>>>>>>>>> VoiceOps at voiceops.org
>>>>>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>>>> _______________________________________________
>>>>>>>> VoiceOps mailing list
>>>>>>>> VoiceOps at voiceops.org
>>>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>>>> _______________________________________________
>>>>>>>> VoiceOps mailing list
>>>>>>>> VoiceOps at voiceops.org
>>>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>>>> _______________________________________________
>>>>>>>> VoiceOps mailing list
>>>>>>>> VoiceOps at voiceops.org
>>>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>>> _______________________________________________
>>>>>>> VoiceOps mailing list
>>>>>>> VoiceOps at voiceops.org
>>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>>> _______________________________________________
>>>>>>> VoiceOps mailing list
>>>>>>> VoiceOps at voiceops.org
>>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>> _______________________________________________
>>>>>> VoiceOps mailing list
>>>>>> VoiceOps at voiceops.org
>>>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------------
>>>>> Peter Beckman
>>>>> Internet
>>>>> Guy
>>>>> beckman at angryox.com
>>>>> https://www.angryox.com/
>>>>>
>>>>> ---------------------------------------------------------------------------
>>> _______________________________________________
>>> VoiceOps mailing list
>>> VoiceOps at voiceops.org
>>> https://puck.nether.net/mailman/listinfo/voiceops
>>
>
> ---------------------------------------------------------------------------
> Peter Beckman Internet
> Guy
> beckman at angryox.com
> https://www.angryox.com/
> ---------------------------------------------------------------------------
More information about the VoiceOps
mailing list