NANC Call Authentication Trust Anchor (CATA) Working Group REPORT to the NANC April 27, 2018 Co-Chairs: Jackie Wohlgemuth, ATIS Beth Choroser, Comcast FCC Liaison: Sherwin Siy
Scope of WG The North American Numbering Council’s (“NANC”) Call Authentication Trust Anchor Working Group scope as modified on February 22, 2018: Scope: Defining criteria by which a GA should be selected; Apply these criteria in evaluating the suitability of any entities proposing to serve as GA, including ATIS, the Commission, or a working group of the NANC; Describe the evaluation process of applying the above-defined criteria Recommend, if the Commission is not to serve as the GA, the role that the Commission should play in overseeing the administration of the call authentication system; and Recommend the process by which the PA should be selected, including whether solely by the GA, or by a process including other stakeholders.
Scope of WG (Cont’d) As well as: A reasonable timeline or set of milestones for adoption and deployment of a SHAKEN/STIR call authentication system, including metrics by which the industry’s progress can be measured; Incentives or mandates that the Commission can put in place to ensure that these milestones and timelines are met; Any additional steps the Commission needs to take to facilitate deployment of a call authentication system; and Any steps the Commission or industry might take to make sure a call authentication system works for all participants in the North American Numbering Plan.
Original vs. Updated Timeline for Report December 7, 2017 CATA Working Group directed to create report April 7, 2018 Original deadline for report February 15, 2018 First meeting after contact information was provided on February 7 May 7, 2018 New deadline for Report Original Deadline - 121 days to complete Updated Deadline - 81 days to complete
CATA WG Meetings and Contributions The group met at least once weekly since the WG was populated on February 7 12 two-hour meetings February 15, 22 March 1, 8, 15, 22, 29 April 5, 12, 13, 19, 26 Participation Average of 33 attendees per meeting Broad participation – 27 organizations represented Contributions Over 50 written contributions and over 15 different contributors
Membership AT&T* ATIS* CenturyLink Charter Communications, Inc* Columbia University* Comcast* Cox Communications CTIA* FCC Google iconectiv* Massachusetts DTC* Montana PSC* NTCA* Neustar* Peerless Network, Inc. SIP Forum* Smithville Communications Somos Sprint* TransNexus, Inc.* US Telecom* Telnyx LLC West Telecom Services, LLC* Guest Participation: Verizon, VigilSec* *Submitted written contributions
WG Evaluation Process Contributions covered all aspects of the WCB’s referral letter, and were used to reach consensus on modifications to a technical baseline document. GA Selection Criteria; Evaluation Process for GA Criteria; Role of FCC; PA Selection Process; Timeline/Milestones for Adoption/Deployment of Call Authentication System; FCC Incentives or Mandates; Any additional FCC Steps to Facilitate Deployment; and Steps to Make Call Authentication System Works for all NANP Participants. Some areas (noted in the appendix of the WG’s report) were agreed by the WG to be out of scope. Recommended to be referred to the appropriate working body as further specifications are considered in the development and completion of the call authentication and trust anchor ecosystem. Consensus was reached on the content of the final report. A minority opinion was submitted to reflect one contributor’s views.
GA Selection Criteria The STI-GA should be capable of performing specific functions and be established with these characteristics in mind. Responsibilities and characteristics that the STI-GA must embody: Ability to adapt to change; Openness, neutrality and transparency; Consideration of costs; Accountability; and Legal protections. These characteristics fell into three buckets: Adapting to Changes; STI-GA Participation Model; and Organization/Setup/Processes/Experience.
Evaluation Process for GA Criteria Recommend allowing the industry to collaboratively form an STI-GA. This approach has been used successfully for other industry initiatives. Allows the industry to begin work immediately without the need for a formal FCC rulemaking. Allows SHAKEN/STIR to retain maximum flexibility to rapidly respond to evolving threats. Funding Outside the scope of the CATA WG. WG did note that there are a number of possible funding models, and funding models might be different in start-up mode as opposed to mature operation.
Role of FCC Assumes industry-led entity to govern the SHAKEN/STIR ecosystem. The role of the FCC if not acting as the Governance Authority: Serve in an oversight role that includes driving progress toward industry call authentication objectives and timelines; Support the model recommended by industry for forming an STI-GA; Act as an escalation point for resolution of grievances that have come before the STI-GA, but remain unresolved after an STI-GA decision; and Establish incentives for service providers to participate in STIR/SHAKEN.
PA Selection Process Recommends the use of a Request for Proposal (RFP) process, or other transparent process initiated by and overseen by the STI-GA Board. Should include very specific requirements based on functional elements, ensuring that a selected STI-PA has the necessary track record, experience, management, security and operational capabilities to perform this role and the ability to commence effective operations within the required time frame. Should be, at a minimum, an appropriate legal or financial separation between the STI-GA and an organization being considered for the STI-PA to avoid any potential conflicts of interest. Should be selected in a manner that minimizes cost to the industry and disruption to SHAKEN as it evolves. Also recommends that any PA contract: Should be terminable at will and non-exclusive. Must accommodate flexibility to allow for evolution in the SHAKEN model. Could be re-bid if deemed necessary by the STI-GA.
Timeline/Milestones for Adoption/Deployment of Call Authentication System The following timeline has been established for the establishment of the SHAKEN governance structure (deadlines will be expedited where possible): The STI-GA should be established within no more than three months after the NANC submits its report to the FCC. The STI-GA should issue an RFP or initiate an alternate transparent process for selection no more than three months after establishment. The submission of the RFP responses or alternate transparent process should not exceed a period of three months. The STI-GA should select an STI-PA no more than three months after conclusion of an RFP response deadline or three months after the initiation of an alternate transparent process for selection of an STI-PA. Service provider interoperation, vendor implementation and deployment of the SHAKEN/STIR framework would continue in parallel with above processes.
Timeline/Milestones for Adoption/Deployment of Call Authentication System May 7, 2018 Submission of NANC report to FCC August 5, 2018 Establishment of GA November 3, 2018 Issuance of PA RFP February 3, 2019 RFP responses or alternate transparent process May 7, 2019 Selection of PA Service provider deployment for end-to-end SIP calls can take place concurrently
FCC Incentives or Mandates Some form of a safe harbor for inadvertent blocking of calls for those validating calls using the framework. Incentivize IP-to-IP interconnection to enable the most fulsome level of attestation. If NANP funding could be used to defray start-up costs, that would likely incentivize participation by smaller service providers.
Any Additional FCC Steps to Facilitate Deployment If the FCC finds progress to be lagging, it could direct service providers to start actively testing either via direct interoperability tests or as part of coordinated industry testing. Encourage service provider interoperation, vendor implementation and deployment of the SHAKEN/STIR framework to proceed in parallel with the STI-GA establishment and STI-PA selection processes.
Steps to Make Call Authentication System Work for All NANP Participants The SHAKEN framework will not “solve” illegitimate caller ID spoofing, but it is an enabler that can lay the groundwork for a variety of techniques to address the problem. Similarly, establishing the Call Authentication Trust Anchor (STI-GA/STI-PA) will not by itself ensure that the call authentication system works for all participants in the North American Numbering Plan. SHAKEN/STIR is focused on IP-based networks and will not work with legacy PSTN networks. Providing a secure certificate management infrastructure for SHAKEN (the primary objective of the STI-GA/ STI-PA) will, however, provide the starting point for subsequent activity by the industry to promote broad adoption.
Accelerating Deployment of SHAKEN/STIR Ensure that all carriers that route calls between originating and terminating carriers maintain the integrity of the required SHAKEN/STIR signaling. Individual companies capable of signing and validating VoIP calls using SHAKEN/STIR should implement the standard within a period of approximately one year after completion of the NANC CATA report. The evolving nature of the technology and the growing levels of deployment will enhance the ability of industry stakeholders in multiple areas. Enhancements will include: Increased ability to trace illegal robocalls; Improved call analytics for consumer tools; and More effective enforcement actions. Reporting on the percentage of IP voice calls using SHAKEN/STIR would also provide the necessary accountability to encourage timely deployment.
Contact Information Please contact any one of the leadership team to ask questions: Jackie Wohlgemuth, ATIS Sherwin Siy, FCC Liaison to the WG jwohlgemuth@atis.org sherwin.siy@fcc.gov Beth Choroser, Comcast Beth_Choroser@Comcast.com