STIR/SHAKEN 101: Do You Need to Sign Your Own Calls?
One of the most common questions we hear about STIR/SHAKEN concerns whether service providers need to sign their own calls. The perceived desire by providers to sign calls directly is usually fueled by concerns that legitimate but partially attested calls will be blocked by a downstream provider. Because Bandwidth has implemented STIR/SHAKEN in our network, we’re able to support most of our customers’ requirements for call signing, but we understand the question and the concern.
In a STIR/SHAKEN world, certain traffic may be partially attested either because the provider relies on least cost routing (LCR) or has enterprise customers who legitimately spoof or mask the calling party phone number. An example would be a 3rd-party contact center or a physician calling a patient using her cell phone while the caller ID displays the number of the medical practice. Because of this, many service providers are thinking they may want to have their own control over how their calls are signed.
STIR/SHAKEN Requirements Revisited
Before we talk about the need to sign your own calls, let’s review the FCC’s current mandates. On March 31, 2020, the FCC issued a Report and Order requiring that “voice service providers implement the STIR/SHAKEN caller ID authentication framework in the Internet Protocol (IP) portions of their networks by June 30, 2021.”
More recently, the FCC issued a 2nd Report and Order regarding the implementation of STIR/SHAKEN. While reaffirming its original order establishing a June 30, 2021 deadline and strongly encouraging adoption of Internet Protocol networks, the FCC also acknowledged a number of open issues and gave special consideration to certain types of providers and call scenarios.
Among its limited exceptions to the standard implementation deadline, in paragraph 38 of the Order the Commission granted the following extensions:
“(1) a two-year extension to small, including small rural, voice service providers;
(2) an extension to voice service providers that cannot obtain a certificate due to the Governance Authority’s token access policy until such provider is able to obtain a certificate;
(3) a one-year extension to services scheduled for section 214 discontinuance; and
(4) as required by the TRACED Act, an extension for the parts of a voice service provider’s network that rely on technology that cannot initiate, maintain, and terminate SIP calls until a solution for such calls is reasonably available.”
What’s Involved in Signing Your Own Calls
Getting approved to sign your own calls is a considerable undertaking. To start, you will need to be an Interconnected VoIP Provider (IVoIP) that:
- Has a 499A on file with the FCC;
- Has an Operating Company Number (OCN);
- Have Interconnected VoIP Numbering Authority approval from the FCC;
- Has completed a STI-PA Test Plan with the Policy Administrator (iconectiv);
- Has obtained valid certificates from an approved Certificate Authority (e.g.: Neustar, TransNexus, NetNumber; and
- Finally, implement a STIR/SHAKEN solution in your network.
Some providers and consulting firms in the marketplace now appear to be offering services to assist IVoIP providers with filing the necessary paperwork outlined here for fees that can range from $5K to $10K and take anywhere from 7 to 9 months to finalize.
Realize too, that even if you are able to obtain IVoIP numbering authority, you will ultimately need to deploy a STIR/SHAKEN solution in your network, which obviously represents additional costs and associated allocation of resources. Most importantly, this includes the ongoing responsibility for management and compliance in the evolving STIR/SHAKEN ecosystem.
Finally it’s important to understand that a STIR/SHAKEN implementation is not a guarantee that calls won’t be blocked by a terminating provider. While the FCC has required that STIR/SHAKEN be at least taken into account, analytics engines don’t rely on STIR/SHAKEN attestation alone for call treatment decisions. In fact, in addition to STIR/SHAKEN information, analytics tools often take other indicators into account such as whether the calling number has aged, is experiencing low answer seizure ratio (ASR), or has initiated a high number of short duration calls.
The Evolving Industry Features
Work within the standards bodies such as the Alliance for Telecommunications Industry Solutions (ATIS) has resulted in several proposals for additional improvements in the STIR/SHAKEN framework that should help elevate trust in the attestation of calls. We expect that two such improvements—certificate delegation and a centralized telephone number database—are poised to become established industry standards soon.
Bandwidth continues to closely monitor and advocate for these solutions within ATIS, the NANC and other relevant industry forums .
Certificate delegation is intended to allow a telephone service provider (delegating from) to create a digital certificate for its approved customers (delegating to) to use only with authorized telephone numbers. For example, if you’re a Bandwidth customer for outbound voice calling, with proper authorization you will be able to direct us to use a valid delegated certificate from your alternate numbering provider and we would then invoke our local policy to sign such calls with an “A” attestation.
Central TN Database (CTND)
This solution is envisioned to be an industry-authorized repository of TNs mapped to participating enterprises, with each enterprise assigned a unique identifier. The idea is that the carrier or IVoIP provider supplying phone number resources would update the database when an enterprise requests a new number, and the originating service provider would access the database to confirm the enterprises’ right to use that TN. It would include any delegated authorities for the enterprise as well, such as a 3rd-party contact center.
If You Choose to Sign Your Own Calls…
While most of our customers work with Bandwidth for their joint STIR/SHAKEN treatments, a few of our customers have begun the process of call signing or are beginning the efforts to obtain their own certificates. To support those customers that want to go in this direction, and in keeping with additional FCC mandates, Bandwidth is developing a solution that will transit the SIP identity headers to the terminating service provider so that the certificate information remains intact. We expect this transit identity solution to be generally available in Q1 of 2021. It is worth noting that as of this writing, we are not aware of any provider that is successfully transiting identity header information between an originating service provider and a terminating service provider.
As a service provider, you may have concerns that you’re lagging behind your peers when it comes to meeting upcoming compliance deadlines, but I hope this blog gives you some reassurance that most likely you’re not. The working groups within the standards bodies and the FCC are very much engaged in an on-going process of further developing and deploying the standards to address legitimate and valid use cases that aren’t particularly well covered by the current standards. As improvements and developments occur we’ll continue to work to keep you informed.