Certificates for me, but not for thee

Today the Internet Society, Canada Chapter intervened in a Part One application by Mitel Cloud Services Inc. requesting the CRTC allow all telecommunication service providers (TSPs) to be able to equally participate in the STIR/SHAKEN framework.  For those who are unaware, the STIR/SHAKEN framework was created by the telecommunications industry to digitally sign calls between providers and provide a level of attestation on the level of confidence on the "trustworthiness" of the calling line ID sent with the call.  The theory is that once calls are digitally signed it will allow calls to be quickly filtered back to the source, and ensure that numbers for banks, government services, etc are not spoofed by bad actors.  When fully implemented, the framework will greatly reduce the number of fraudulent calls received by Canadians and help restore trust in caller line ID.  

The STIR/SHAKEN framework achieves its goals by defining 3 levels of attestation for a phone call:


• Full Attestation (A) — The service provider has authenticated the calling party and they are authorized to use the calling number. An example of this case is a subscriber registered with the originating telephone service provider’s softswitch.

• Partial Attestation (B) — The service provider has authenticated the call origination, but cannot verify whether the call source is authorized to use the calling number. An example of this use case is a telephone number behind an enterprise PBX.

• Gateway Attestation (C) — The service provider has authenticated from where it received the call, but cannot authenticate the call source. An example of this case would be a call received from an international gateway.

These different levels of attestation can be used by receiving networks to enhance call filtering services, allowing calls that attempt to spoof known numbers such as the CRA to be blocked before they ever reach a customer.  

Back in 2018 the CRTC mandated that all Telecommunications Service Providers (TSPs) needed to implement the STIR/SHAKEN framework.  The key part of that decision is this sentence - "the Commission determines that authentication and verification of caller ID information for Internet Protocol (IP) voice calls should be implemented by Canadian telecommunications service providers (TSPs)".  

In the implementation of the STIR/SHAKEN framework there are several actors that are required to make the implementation happen - the Governance Authority (GA), the Policy Administrator (PA) and the Certificate Authority (CA).  This diagram from ATIS shows the relationship between the various entities:

In CRTC Decision 2019-403 the Commission selected a new entity the "Canadian Secure Token Governance Authority (CST-GA)" to be the STI-GA for Canada.  This organization was established by a group of incumbent Canadian telecommunications carriers, and this is where the problem starts.

If you remember the original 2018 CRTC decision, the STIR/SHAKEN framework is supposed to apply to all telecommunications service providers, however, if you read the CST-GA website they state clearly that "Any Canadian Carrier with direct access to Canadian Telephone Numbers can participate in the call authentication scheme".  On the surface this may not sound like a problem, but if you understand how a vast majority of TSPs operate you will quickly understand this is a major issue.

There are over 1200 entities registered with the CRTC as Resellers of Telecommunications Services.   These resellers provide valuable telecommunications services to Canadians, including services such as business Hosted PBX platforms, residential over the top services, and others innovative voice products. Many of these TSPs do not have their own numbering resources. They rely on the services of underlying CLECs, LECs, SILECs, and others to obtain the numbering resources which they need to operate.

As it stands today, these providers have been left out of the STIR/SHAKEN process - they are unable to access certificates because the current CST-GA policy prevents them from being able to join.  The issue of lack of access to certificates isn't a new issue - in March 2020 I spoke in front of INDU (the standing Standing Committee on Industry, Science and Technology) on the issue of fraudulent calls in Canada and raised this very issue.  Others in the industry have spoken out too - the problem has been raised by the Internet Society, CNOC, and others in multiple submissions to the CRTC and yet to this day they have not acted to correct the situation.

The problem is real - If TSPs cannot sign their own calls, calls they egress to the PSTN will never get A level attestation.  Without A level attestation, these calls will always be viewed with higher level of suspicion and scrutiny by receiving carriers, causing them to likely be blocked or filtered.  The result will be that end customers of TSPs who cannot directly sign calls will be forced to move their business to someone who can provide A level attestation for all calls.  This will create a two-tiered telecommunications system in Canada – those who can sign and those who cannot.

Like other internet technologies, we must ensure that all players, including small TSPs, can participate on an equal footing. If parties cannot participate equally in this process, the harm to the smaller carriers will be irreparable. It is imperative that the CRTC grant the Mitel application and ensure that an equal footing exists between all parties before the STIR/SHAKEN framework is actually implemented in Canadian networks.