The CST-GA is "SHAKEN" down small carriers
If you've been following by blog, you'll know that equal access for all telecommunications providers to participate in the SHAKEN/STIR call authentication framework has been one of the causes I have been most passionate about. In late August, smaller Canadian telecommunications service providers (TSPs) finally got a win - CRTC 2021-267 decided that all TSPs should have access to certificate resources for SHAKEN/STIR. Before this decision, the CST-CA, the organization that is the gatekeeper of participation in the SHAKEN/STIR framework, only allowed traditional service providers with direct access to phone numbers to participate. (See my previous article Certificates for me, but not for thee (mgamble.ca)
While this decision was a win for smaller providers, it's another example of the CRTC not taking proactive action on important issues. Prior to the Mitel intervention, which spawned the decision, many interveners, including the Internet Society, Canada Chapter in a 2019 intervention, pointed out certificate issuance disparity and other issues to the Commission which apparently fell on deaf ears.
The CST-GA - Built for Incumbents, by Incumbents
The CST-GA is the "Canadian Secure Token Governance Authority", an organization created by the incumbent telecommunications providers and given domain over the Governance Authority function of the SHAKEN/STIR framework for Canada. CST-GA was given this power in CRTC in decision CRTC 2019-403. There are many faults in this initial decision, all of which contributed to make the SHAKEN/STIR a technology that is controlled the incumbents, for the incumbents. First, in the decision the CRTC states that "The CLNPC is the only entity that took initiative and submitted a proposal to the Commission to take action towards fulfilling the role of CCA, as the Commission requested in CETD 2018-32". This isn't entirely true - in its intervention to 2018-32, the Canadian Internet Registration Authority (CIRA) stated:
CIRA believes that given its track record of securing the Canadian top level domain (TLD) through initiatives like DNSSEC that CIRA is in an unique position to assist with this endeavour to assess and research the role of DNSSEC in enhancing the integrity of SIP/IP interconnection in integrating DNS based PKI into the STIR/SHAKEN framework.
But after the 2018-32 decision, the CRTC never asked anyone publicly if they wanted to assume the role of the SHAKEN/STIR GA, they just assumed the industry would do so itself. That sounds wonderful in theory, but without being intrenched industry incumbents, how would an organization such as CIRA even know to file a proposal with the CRTC? It's very disingenuous to state no one applied for the job if you never posted it - the CRTC just left it as a "todo" item for someone else to figure out. Without public guidance on its creation, the industry did what it does best - created a closed, secretive organization with no stakeholders that are not incumbent carriers.
The second major issue was the Commissions statement in para 18 that "no party filed any objection to the CLNPC’s proposal". There is a good reason that no party filed an objection - there was no public hearing, notice of consultation, or other forum for which the public could have filed such an objection. Further, neither the CLNPCs initial proposal nor the later filed redacted proposal can be found on the CRTC website. It's easy to say no one objected to the proposal when no one knew about it.
An Old Boys Club
From it's inception, the CST-GA has ignored the original CRTC directive in 2018 that SHAKEN/STIR "should be implemented by Canadian telecommunications service providers (TSPs)". On the CST-GA website, has, and still does even after the Mitel decision, state that you must have access to telephone numbering resources to be able to participate:
If you are a TSP, and you are search the entire CST-GA site, you can actually find the magical URL, which contains the application for a TSP to apply to be a member of the CST-GA. It's a traditional dark pattern - yes, the information is technically on their site but you have to rummage around it find it. One would assume they would update the "Eligibility" page after the Mitel decision, but the CST-GA has no motivation to do so - the TSPs looking for this information are parties they never wanted as members in the first place.
As a small TSP, once you've found the magical application form, you are now looking at the 9 page questionnaire you must complete before the CST-GA will consider your application. The application form forces smaller providers to divulge sensitive business process information, such as how they validate enterprise customers and answer a long list of questions about your participation in various industry groups. While not stated anywhere, my assumption would be that answering "No" to any of the questions would likely disqualify you from becoming a CST-GA member. So as a smaller provider, if you don't have the resources to have someone participate in industry working groups, they may prevent you from implementing something you're required to.
Lets keep the riff-raff out
Once a TSP has submitted its application, the gatekeepers at the CST-GA surprise you with the next hurdle - the cost. I've been told the yearly fee for CST-GA membership is in the $15k range for non-carriers, regardless of the size of your organization. For a smaller TSP this fee could be a signifiant portion of revenues in a year. Contrast this with the United States, where the GA fees are based on revenues, with the smallest providers paying only $825 USD per year. Is it really fair that Mom-and-Pop Tel Canada have to pay 15x more than their US counterpart? In almost every other regulatory context fees for participation are commensurate with revenue, but not with the CST-GA.
Conclusion
For a smaller providers, the result is a nightmare - they are stuck in a regulatory hell. TSPs have been forced to implement SHAKEN/STIR under a process rigged against them from the start. The governing body is an organization built and run by the incumbent providers with no transparency. The cost to enter is a fixed cost unrelated to actual revenues. They have to scramble to upgrade equipment and systems. And they have to do all of this in the short time between when they became eligible to participate in October and the implementation deadline of November 30th.
The CRTC needs to extend the deadline beyond November 30th and direct the CST-GA to implement a funding model that is tied to the telecom revenue of the participants. We need the CST-GA to have an open governance model with participation from stakeholders of all size. If this isn't done, many smaller providers will not be able to afford to participate, and the CRTC could shut them down for non-compliance. If this happens, years of competitive gains in the telecommunications industry will be lost and the incumbents win again.