SHAKEN/STIR does nothing but sign a call by a carrier that can be verified
by another carrier that they signed it. It does nothing to stem Robocalls.
All SHAKEN/STIR does is have the originating carrier of a call to
cryptographically attest, to some degree, that the call originated from
One example given was that SHAKEN/STIR can verify that it is really the IRS
But that would require knowledge of which carrier currently serves the IRS,
and that the IRS use that same carrier for both inbound AND outbound
calling, and that the carrier publishes some record that it is the carrier
of record for the given phone number. THIS DOES NOT EXIST in SHAKEN/STIR.
If Carrier A is taking calls from a spammer and implements SHAKEN/STIR, and
their termination Carrier B have also implemented SHAKEN/STIR verification
and trusted Carrier A's certificate, all that occurs is that Carrier A says
"this call is trustworthy" and Carrier B verifies that Carrier A said so
and completes the call.
Carrier A can lie all they want, as they do now, providing a false "Full
Attestation" that the "service provider has authenticated the calling party
and they are authorized to use the calling number." But there's no proof
that they are telling the truth, and no way for any other intermediate
carrier to verify anything other than the originating carrier.
Now if Carrier B decides not to trust Carrier A anymore, they can stop
trusting their cert and drop calls. Which Carrier B can do today by
terminating the relationship with Carrier A.
I still don't see how this will stop CallerID spoofing or Robocalls.
Carrier B can block Carrier A at anytime. Carrier A can attest that any
call originating from it is authorized to use that number. Plus then
there's a ton of intermediates that aren't even addressed here. Do all the
Intermediates also need to implement SHAKEN/STIR such that the SIP Identity
header is passed onto the next leg? If the intermediate drops the header,
does the call fail?
And spammers already use real, leased phone numbers for Robocalls. We
had a client come to us who wanted 5,000 new/different and not recycled
phone numbers across the US each month. When prompted about how they'd be
used, they just needed inbound calls and SMS messages routed to their
switch hosted at a cloud provider, outbound calls would be made through
With SHAKEN/STIR, these calls would show up as "Authenticated" as the
client could tell their Carrier C that these 5,000 phone numbers were
theirs, and Carrier C could do a "Full Attestation" SIP Identity header and
the spam calls would show up as "Verified." But still Robocalls, just
We declined to do business with this client.
In summary, SHAKEN/STIR seems to do nothing but be some extra technical
Please correct me if I'm missing a key piece of this.
I'm in DC, I'm going to try to attend this summit. https://transnexus.com/whitepapers/understanding-stir-shaken/
On Mon, 8 Jul 2019, Jay R. Ashworth wrote: > ----- Original Message -----
>> From: "Sean Donelan" <email@example.com>
>> I don't think SHAKEN/STIR really addresses the root problems with
>> spoofing phone numbers, anymore than any of the BGP proposals for spoofing
>> IP addresses.
>> Nevertheless, the FCC wants to be seen as doing something. So Chairman
>> Pai is having a summit to show all the progress.
>> On Thursday, July 11, 2019, FCC Chairman Ajit Pai will convene a summit
>> focused on the industry’s implementation of SHAKEN/STIR, a caller ID
>> authentication framework to combat illegal robocalls and caller ID
>> spoofing. Chairman Pai expects major voice service providers to deploy
>> the SHAKEN/STIR framework this year. The summit will showcase the
>> progress that major providers have made toward reaching that goal and
>> provide an opportunity to identify any challenges to implementation and
>> how best to overcome them.
> Well, y'know, it's been 10 years since I originated calls to LD carriers.
> But when I did, 3 of my carriers (VZN and 2 LDs) trapped outgoing calls
> that weren't for 10D calling numbers *they had assigned us* (and hence I
> had to work that out with them to prove that *someone* had)...
> nd the other 2 didn't give a crap. I could send them anything -- even calls
> with CNID that wasn't a valid NANP address (4th digit 1, frex).
> Since nearly all of this is being originated over PRIs to LD carriers, right;
> maybe if the FCC just threatened the LD carriers who do not do the calling
> number legitimacy enforcement the regs (I think) already require them to do...?
> -- jra
> Jay R. Ashworth Baylink firstname.lastname@example.org
> Designer The Things I Think RFC 2100
> Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
> St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Peter Beckman Internet Guy