On Thu, 11 Jul 2019, Ross Tajvar wrote:
What if you use different carriers for termination and origination? How does your termination carrier validate that your origination carrier has allocated certain numbers to you and that you're therefore allowed to make outbound calls with a caller ID set to those numbers? That doesn't sound to me like something that can be solved as quickly and easily as you imply.
I attended the first panel at the FCC and Scott Mullen, CTO at Bandwidth, was the only one that brought up issues that are not addressed by implementing STIR/SHAKEN. 1. There's no delegation -- there is no standardized means of telling anyone who is the End User of a specific TN. 2. Self-signed certs are being used so far, which means that you need to establish trust in a full mesh in order for STIR/SHAKEN to be of any value. Not feasible, definitely fragile. This could be addressed using a Public Cert Authority. 3. Relies 100% in your trust of the initial carrier to properly set the Attestation level on the call. 4. Does not cover if the call is received with a STIR/SHAKEN header to a termination provider with Full Attestation that turns out to be a lie. 5. Does not actually verify that the CallerID is really the EU generating the call. For Wireless Carriers it can, since calls are both received and placed by the same carrier in most cases, but what about roaming? Is Three UK going to implement STIR/SHAKEN or will it occur at Verizon's edge? How do any of us know that the Identity: header was added at the first point of origin? All STIR/SHAKEN is doing is adding an Identity: header to the SIP payload that one can use to verify that a carrier signed the call at some point. Some carriers may be trustworthy, some may blindly add Full Attestation for a termination customer that has a nice mix legit and spoofed calls. There is still no connection between the End User of a phone number and the call itself. And there's no way for me as a carrier to check to see if a phone number should only originate from specific networks or not. Even if it is signed, I know nothing more than I do now about the legitimacy of the call. Argh. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------