Good catch. I just casually scrolled through the list of companies in the Robocall Mitigation Database & stumbled across a Panamanian company and an Australian company that both claim to have "complete" STIR/SHAKEN implementations. Yet I can confirm that neither company shows up either in the 499 Filer ID database, nor in iconectiv's list of Service Provider accounts that they have authorized to have access to the STI-PA and to generate SP tokens. The FCC FRNs for both companies were also generated fairly recently. I wonder if these foreign companies got concerned about making sure that international calls originating from their networks were getting signed with a high attestation on ingress into the U.S., arranged for this to be the case with whomever they are interconnecting with over on our shores, thought that they had to be listed in the RMD for some reason (do they? Are int'l telecoms required to be in the RMD and file an actual mitigation plan if they want to originate calls to the U.S.?), also assumed/misunderstood that having another party sign & attest their calls for them is enough to claim a "complete" implementation, and so that's why they filed the way they did. (Trying to be generous / assume the best here.) Since implementing S/S in the U.S. requires a 499 Filer ID, it is actually kind of infuriating that the RMD does not have 499 Filer ID as a required field on their form. That would nip this issue right in the bud if they did. -- Nathan -----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Markus via VoiceOps Sent: Thursday, July 6, 2023 1:07 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] STIR/SHAKEN warning! Am 04.07.2023 um 07:35 schrieb Paul Timmins:
What if I'm an European telecom operator and have US-based end-users (via SIP) who are calling to the US and who would like to signal their United States A-number to the called party?
What if I'm an European telecom operator and have Euro end-users (via SIP) who are calling to the US and who would like to signal their European A-number to the called party?
If I try to register here - https://authenticatereg.iconectiv.com/register - "Country: United States" is hard-coded.
Is there a way for Euro TSPs to get STIR/SHAKEN without creating a US entity/company just for this purpose?
I'm pretty sure it's the job of whoever is providing gateway services into the USA to sign the call, and that anyone in the STIR/SHAKEN system in the US has some sort of regulatory nexus here where they could be held legally responsible. It's all about finding a throat to choke if there's misconduct.
I asked iconectiv that question and now I have clarity: Me: "I have some fundamental questions about STIR/SHAKEN: What if I'm an European telecom operator and have US-based end-users (via SIP) who are calling to the US and who would like to signal their United States A-number to the called party? -> Do we need to get a STIR/SHAKEN certificate? [...]" iconectiv: "The revised SPC token Access Policy requires providers seeking to register with the STI-Policy Administrator (STI-PA) to: 1) Have a current form 499A on file with the FCC; 2) Have been assigned an Operating Company Number (OCN); [...] Me: "Since registering as 499A and getting an own OCN is only possible for US companies, I figure getting a STIR/SHAKEN certificate through you is currently not possible for non-US companies. Is that correct?" iconectiv: "That is correct." The confusion also came from the fact that many non-US companies that registered in the Robocall Mitigation Database - https://fccprod.servicenowservices.com/rmd?id=rmd_listings - chose "Complete STIR/SHAKEN implementation" or "Partial STIR/SHAKEN implementation", which, unless they also have a US subsidiary, seems to be a lie. Probably they chose something that looked cool in the dropdown box, or were too lazy to develop a Robocall Mitigation Plan (this is what you gotta upload as DOCUMENT if you choose "No STIR/SHAKEN implementation". I also noticed some non-US companies just uploaded some random document to the database, like a high school report or just some random letters or words... so much about the quality of that database. Good luck Markus _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Nathan wrote: "Since implementing S/S in the U.S. requires a 499 Filer ID, it is actually kind of infuriating that the RMD does not have 499 Filer ID as a required field on their form. That would nip this issue right in the bud if they did." Yes, that would be a good idea. Generally it is easier to get a 499A Filer ID than it is an OCN. The good news is that in their Sixth Report and Order (https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf) the FCC wrote, at paragraph 48: "Finally, we require filers to submit their OCN if they have one. An OCN is a prerequisite to obtaining an SPC token, and we conclude that filing the OCN or indicating that they do not have one will allow us to more easily determine whether a provider is meeting its requirement to diligently pursue obtaining a token in order to authenticate their own calls and provides an additional way to determine relationships among providers." Presumably they will implement this shortly (the Order is pending some administrative reviews).
Hopefully on-topic. How are you handling TFN atestations? Although a part of NANP - it's a different technology at the network level in terms of chain of authority and routing. RespOrg manages the number, but can provision and use many carriers to make outbound calls using the TFN Caller ID (and to receive inbound calls via the same TFN)... RespOrgs is not necessarily a carrier - who and how checks that RespOrg has the authority in case of delegated attestation. I may be overcomplicating it in my mind.. but it doesn't feel like the regulation maps 1-to-1 over to TFNs... Just wondering what everyone's experience is. Thanks, Ivan On Thu, Jul 6, 2023 at 7:26?PM David Frankel via VoiceOps < voiceops at voiceops.org> wrote:
Nathan wrote: "Since implementing S/S in the U.S. requires a 499 Filer ID, it is actually kind of infuriating that the RMD does not have 499 Filer ID as a required field on their form. That would nip this issue right in the bud if they did."
Yes, that would be a good idea. Generally it is easier to get a 499A Filer ID than it is an OCN.
The good news is that in their Sixth Report and Order (https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf) the FCC wrote, at paragraph 48:
"Finally, we require filers to submit their OCN if they have one. An OCN is a prerequisite to obtaining an SPC token, and we conclude that filing the OCN or indicating that they do not have one will allow us to more easily determine whether a provider is meeting its requirement to diligently pursue obtaining a token in order to authenticate their own calls and provides an additional way to determine relationships among providers."
Presumably they will implement this shortly (the Order is pending some administrative reviews).
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
-- NOTE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by replying to this email, and destroy all copies of the original message.
Ivan asks: ?How are you handling TFN atestations?? When the signer of a call gives A-level attestation, it means that the signer knows that the caller ?is authorized to use? the calling number. The signer can ?know? that in any of a variety of ways. For toll-free numbers, the most sophisticated and secure is probably via Delegate Certificates. SOMOS, the North American Toll-Free Number Administrator, has commented about this in a current FCC proceeding: https://www.fcc.gov/ecfs/document/10605623514445/1 As the signer, there are other ways you could determine that the caller is authorized to use the number. For example, you could solicit some documentation from them (like an invoice from their RespOrg and/or service provider) and you could call the number and verify that your caller answers. The regulations (today) do not specify exactly how you ?know? so you (as the signer) need to act in the spirit of the rules. This problem is not unique to toll-free numbers. I might have a geographic number that I obtain from provider A (and that?s how I get inbound calls to the number), but I make outbound calls from that number via providers B and C for redundancy and cost reasons. Bear in mind that providers can set their own rules for what calls they will accept and what attestations they will assign, and those rules can be more restrictive than what might be dictated by regulation. For example, a provider might say ?I will only assign A-level attestation to calls that use calling numbers assigned by me.? That?s their prerogative. In fact, a provider might say: ?I will only accept calls that use calling numbers assigned by me. Those calls will get A-level attestation. I will reject all other calls.? There are no rules (to my knowledge) that prohibit providers from setting these kinds of rules. From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Ivan Kovacevic via VoiceOps Sent: Friday, July 7, 2023 7:27 AM To: Voice Ops <voiceops at voiceops.org> Subject: Re: [VoiceOps] STIR/SHAKEN warning! Hopefully on-topic. How are you handling TFN atestations? Although a part of NANP - it's a different technology at the network level in terms of chain of authority and routing. RespOrg manages the number, but can provision and use many carriers to make outbound calls using the TFN Caller ID (and to receive inbound calls via the same TFN)... RespOrgs is not necessarily a carrier - who and how checks that RespOrg has the authority in case of delegated attestation. I may be overcomplicating it in my mind.. but it doesn't feel like the regulation maps 1-to-1 over to TFNs... Just wondering what everyone's experience is. Thanks, Ivan
participants (3)
-
dfrankel@zipdx.com -
ivan.kovacevic@startelecom.ca -
nathana@fsr.com