SITR/SHAKEN implementation in effect today (June 30 2021)

• Previous message (by thread): SITR/SHAKEN implementation in effect today (June 30 2021)
• Next message (by thread): SITR/SHAKEN implementation in effect today (June 30 2021)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/30/21 2:56 PM, Michael Thomas wrote:
> Just because you can know (fsvo "know") that a call is allowed to 
> assert a number doesn't change anything unless other actions are 
> taken. With DKIM which is far simpler than STIR it would require 
> reputation systems that don't seem to have been deployed, submission 
> auth which thankfully was deployed, policy enforcement (ie ADSP) which 
> is not deployed, and user indicators which are sporadically deployed.

In any indication, the carrier closest to the originator is signing the 
call metadata with their digital certificate. While this won't mean much 
to the active user, for those tracking down robocalls, this is the holy 
grail - finding the carrier who is letting the calls into the network 
and being able to reach out to them to stop the abusive/illegal traffic.

That it might say we've taken the time to verify the end user is who 
they say they are is just icing on the cake. The goal is to make the 
calls accountable to someone, which despite the patchwork of systems in 
the US that might prevent the signature from coming through, can help a 
lot since the biggest wholesalers have implemented it (Inteliquent and 
Lumen among many others)

The other big deal is that now all carriers are actually expected to 
police their network for spoofed callers who are exhibiting robocalling 
behavior. This is a big deal! For the first time, carriers are going to 
be held responsible for proactively finding the abuse, and showing what 
their plans are to do such a thing, and sharing information with each 
other (via the FCC) who can be contacted to chase down robocall traffic 
if another carrier sees it.

> Given the giant security holes caused by solving the wrong problem (ie 
> trying to authenticate the e.164 address rather than the originating 
> domain) it's just going to push spammers to exploit those holes. It's 
> very much to be seen whether victory can be declared, IMO.

Fortunately, positive identification of the caller isn't the intent. 
Preventing people from pretending to be the IRS is the intent.

-Paul

• Previous message (by thread): SITR/SHAKEN implementation in effect today (June 30 2021)
• Next message (by thread): SITR/SHAKEN implementation in effect today (June 30 2021)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]