SHAKEN Governance Authority Criteria Jim McEachern Senior Technology Consultant ATIS April 2017

Background The protocols required to deploy SHAKEN are complete, or nearing completion: SHAKEN provides the on-the-wire encoding for SIP identity header Governance model, including the protocol to obtain STI certificates SHAKEN deployment: Initial focus will be to gain operational experience Volume deployment beginning in 2018 Formal Governance Authority: Not essential for initial deployment between “cooperating” service providers Will be critical as deployment increases

SHAKEN Governance Model Ecosystem SHAKEN Governance Model defines mechanism for service provider to obtain SHAKEN STI Certificates: Roles Protocols Out of Scope for “Governance Model” In Scope for “Governance Model”

SHAKEN Terminology Service Provider Token: obtained from STI-PA and used by SP to request STI Certificate from STI-CA 1 STI Certificates: used for “authentication” and “verification” in SHAKEN 2 PASSporT Token: included in SIP Identity header “on-the-wire” 3

SHAKEN Governance Model: Defined Roles STI-CA: The STI Certificate Authority is approved by the STI Policy Administrator to issue STI Certificates to authorized Service providers. Service Provider: Obtains STI Certificates from STI-CA and uses these to authenticate calling party information. Out of Scope for “Governance Model” In Scope for “Governance Model”

SHAKEN Governance Model – Key Roles Key roles in SHAKEN Governance model: STI Governance Authority STI Policy Administrator These roles are identified and relationships noted but details are stated to be “out of scope” for the SHAKEN Governance Model document. Further industry work is needed to “flesh out” the details of these roles separate from the development of the protocol for obtaining certificates. This presentation is intended to begin the discussion of how to fill these roles Focus of this presentation

Role of the STI Governance Authority Defines the rules governing STI Certificates: Who can obtain STI Certificates (i.e., criteria) Basis for revoking STI (if required) Criteria for STI Certification Authority (STI-CA) Selects the STI Policy Administrator. Would consult appropriate experts when developing rules: PTSC, IP-NNI TF, INC, NGIIF, etc. One governance authority per country Industry consensus driven (e.g., INC, LNPA WG, IMSI Oversight Committee)

Criteria for Governance Authority Neutral industry body, representing a full range of stakeholders Service providers: large, small, competitive, fixed, mobile, cable, VoIP and OTT Vendors, including third party application providers Others? Non-profit organization Use open, multi-stakeholder, consensus-based processes Recognized by the national regulator, but independent: Provide regular briefings to regulator Mechanism to accept ongoing input from regulator Minimize bureaucracy and costs

Role of the STI Policy Administrator Applies the rules as set by the STI Governance Authority Validates that individual service providers are authorized to obtain STI Certificates When service provider requests credentials Issues ACME Key Credentials to authorized service providers allowing them to request STI Certificates Valid for a period of time (e.g., one year) Approves STI-CAs Maintains a secure list of all authorized STI-CAs May host STI Certificate public key repository STI-GA and STI-PA are separate “roles” but may be a single entity.

Industry Consensus Based SHAKEN governance ecosystem will need flexibility as the industry gains experience and robocallers/spammers respond with new strategies: Identify and stop service providers if they abuse the system Develop rules for “corner cases” (e.g., WebRTC, resellers, etc.) Extend SHAKEN to introduce new functionality: CNAM, NS/EP support, Biometric authentication Enhanced traceback A neutral, multi-stakeholder, consensus-based, industry body is best positioned to provide this flexibility while ensuring accountability. SHAKEN Governance Authority based on industry consensus.

NANPA vs. SHAKEN Governance: Focus There would not be any efficiencies from combining NANPA and SHAKEN Governance Authority: NANPA manages numbers and number ranges SHAKEN Governance Authority “authenticates” SHAKEN service providers Both are experiencing significant evolution of functionality, but no overlap: NANPA investigating new ways to assign numbers SHAKEN Governance Authority developing industry consensus for using SHAKEN to verify calling party information Combining these two initiatives would not provide significant value, and could be a distraction. We do not recommend combining SHAKEN Governance with NANPA.

NANPA vs. SHAKEN Governance: Scale Dealing with number blocks of varying sizes. Need to track all number assignments and reassignments. One size does not fit all – need a flexible, scalable solution. Complexity is proportional to the number of potential phone numbers. => Billions SHAKEN Governance Validate carriers and assign ACME Key Credentials to each carrier. Carrier uses ACME Key Credentials to obtain STI Certificates from STI-CA. No need to track. Solution is the same for all carriers. Complexity is proportional to the number of carriers. => Thousands

Governance Authority: Potential Models Regulatory Mandate: Costs paid by all members of the industry, based on assigned phone numbers Industry “committee”: Costs paid by participating carriers Hybrid model: Structured as an industry committee Allocation based on assigned phone numbers Open to other stakeholders Criteria for membership and costs tbd