SHAKEN/STIR Robocall Summit - July 11 2019 at FCC

• Previous message (by thread): SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
• Next message (by thread): SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 11 Jul 2019, Ross Tajvar wrote:

> What if you use different carriers for termination and origination? How
> does your termination carrier validate that your origination carrier has
> allocated certain numbers to you and that you're therefore allowed to make
> outbound calls with a caller ID set to those numbers? That doesn't sound to
> me like something that can be solved as quickly and easily as you imply.

  I attended the first panel at the FCC and Scott Mullen, CTO at Bandwidth,
  was the only one that brought up issues that are not addressed by
  implementing STIR/SHAKEN.

     1. There's no delegation -- there is no standardized means of telling
        anyone who is the End User of a specific TN.

     2. Self-signed certs are being used so far, which means that you need
        to establish trust in a full mesh in order for STIR/SHAKEN to be of any
        value. Not feasible, definitely fragile. This could be addressed
        using a Public Cert Authority.

     3. Relies 100% in your trust of the initial carrier to properly set the
        Attestation level on the call.

     4. Does not cover if the call is received with a STIR/SHAKEN header to
        a termination provider with Full Attestation that turns out to be a
        lie.

     5. Does not actually verify that the CallerID is really the EU
        generating the call. For Wireless Carriers it can, since calls are
        both received and placed by the same carrier in most cases, but what
        about roaming? Is Three UK going to implement STIR/SHAKEN or will it
        occur at Verizon's edge? How do any of us know that the Identity:
        header was added at the first point of origin?

  All STIR/SHAKEN is doing is adding an Identity: header to the SIP payload
  that one can use to verify that a carrier signed the call at some point.
  Some carriers may be trustworthy, some may blindly add Full Attestation
  for a termination customer that has a nice mix legit and spoofed calls.

  There is still no connection between the End User of a phone number and
  the call itself. And there's no way for me as a carrier to check to see if
  a phone number should only originate from specific networks or not. Even
  if it is signed, I know nothing more than I do now about the legitimacy of
  the call.

  Argh.

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------

• Previous message (by thread): SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
• Next message (by thread): SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]