Compliance and Enforcement and Telecom Decision CRTC 2019-402

PDF version

Reference: 2019-402-1

Ottawa, 9 December 2019

Public record: 8621-C12-01/08 and 8665-C12-201507576

CISC Network Working Group – Status of implementation by telecommunications service providers of authentication/verification measures for caller identification

The Commission concludes that Canadian carriers and other telecommunications service providers providing voice telecommunications services in Canada (TSPs) should be able to complete the implementation of the STIR [Secure Telephony Identity Revisited]/SHAKEN [Signature-based Handling of Asserted information using toKENs] framework in Canada to authenticate and verify caller identification (ID) information for Internet Protocol (IP)-based voice calls by no later than 30 September 2020. The Commission requests that TSPs and the CRTC Interconnection Steering Committee (CISC) file with it status reports as described in this decision.

Background

  1. In Compliance and Enforcement and Telecom Decision 2018-32 (CETD 2018-32), the Commission examined measures to reduce caller identification (ID) spoofingFootnote 1 and determine the origins of nuisance calls.Footnote 2 Specifically, in paragraph 31 of CETD 2018-32, the Commission determined that authentication and verification of caller ID information for Internet Protocol (IP)-based voice calls should be implemented by Canadian carriers and other telecommunications service providers that provide voice telecommunications services in Canada (collectively referred to for the purpose of this decision as TSPs), by no later than 31 March 2019, to empower Canadians to better protect themselves against nuisance calls.
  2. The Commission also noted that the Internet Engineering Task Force (IETF)Footnote 3 has developed a technical standard, referred to as STIR [Secure Telephony Identity Revisited], which would provide a means for call-originating TSPs to certify the identity of callers, thus enabling the caller’s identity to be validated. In conjunction with STIR, the Alliance for Telecommunications Industry Solutions (ATIS)Footnote 4 has developed a framework, referred to as SHAKEN [Signature-based Handling of Asserted information using toKENs] (see ATIS-1000080), for the implementation of STIR in IP-based service providers’ networks.
  3. STIR/SHAKEN is a framework of interconnected standards. This means that calls travelling through interconnected telephone networks would have their caller ID “signed” as legitimate by originating carriers. Through the STIR/SHAKEN framework, the caller ID information is transmitted using “tokens,” and the handoff of telephone calls passing through the complex web of networks is digitally validated, enabling the telephone company of the consumer receiving the call to verify that the call is indeed from the person making it. This process is dependent upon one or more Certificate Authorities (CAs) administering and issuing certificates to TSPs.
  4. To ensure the effective use of these certificates, the STIR/SHAKEN framework is managed by the following authorities:
    • a Governance Authority (GA), which will ensure the integrity of the issuance, management, security, and use of certificates issued in compliance with the SHAKEN specification;
    • a Policy Administrator (PA), which is selected by the GA and is responsible for applying the rules defined by the GA, including ensuring that CAs implement appropriate certificate management practices and that certificates are issued only to authorized TSPs. The PA is the administrator and primary trust anchor of the system; and
    • CAs, which issue certificates to validated TSPs.
  5. In the United States, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking in June 2019 in which it proposed to require voice service providers to implement the STIR/SHAKEN framework by the end of 2019. In August 2019, certain American voice service providers announced that they are beginning to roll out the exchange of call authentication information within their networks, and the FCC’s Chairman Pai stated that indications are that all of the largest voice service providers will be capable of meeting the FCC’s end-of-2019 deadline.
  6. To monitor the industry’s progress on caller ID authentication in Canada, in CETD 2018-32, the Commission directed TSPs to submit to the CRTC Interconnection Steering Committee (CISC) every six months, beginning six months from the date of that decision (i.e. 25 January 2018), a report on their efforts and progress in implementing authentication/verification measures for caller ID. The Commission requested that CISC consolidate the TSPs’ reports into a single report.

Report

  1. On 12 June 2019, the CISC Network Working Group (NTWG) submitted its second consolidated report (the Report) to the Commission for consideration:
    • Telecommunications Service Providers status with regards to the implementation of authentication/verification measures for caller ID, 27 May 2019 (NTRE065)
  2. The Report can be found under the “Reports” section of the NTWG page, which is available under the CISC section of the Commission’s website at www.crtc.gc.ca.
  3. Pursuant to the Commission’s determinations set out in CETD 2018-32, the Report includes the following information:
    • the status of TSPs’ readiness in terms of network changes, if any;
    • the status and results of equipment testing and participation in those tests;
    • statistics identifying (i) the percentage of authentication/verification-enabled trunks used for IP voice traffic out of the total number of IP voice trunks, (ii) the percentage by month of the number of authenticated/verified voice calls out of the total number of IP voice calls, and (iii) tracking by level of authentication (i.e. full, partial, and gateway attestation) for calls delivered to customers;
    • the status of authentication/verification standards such as STIR/SHAKEN and their subordinate standards, as well as any other related standards; and
    • Canadian-specific requirements in the standards, and efforts that are being taken to incorporate these requirements.

Network readiness

  1. The NTWG noted that the expected implementation date of 31 March 2019 is at risk.  The NTWG indicated that of the 16 TSPs that provided a potential STIR/SHAKEN implementation date, 5 TSPs indicated that they will be ready before December 2020, 10 TSPs by December 2020, and one TSP by 2021.
  2. Many TSPs identified a need to establish a PA and one or more CAs under the STIR/SHAKEN framework. Many TSPs also indicated that timelines and availability regarding plans with their current vendors to support STIR/SHAKEN are not finalized. Several TSPs indicated that without a Canadian Certificate Authority, they have had to use self-signed certificates to complete equipment testing to sign and verify IP voice traffic received from other TSPs. Some TSPs indicated that they need to have a fully defined solution before going further.
  3. Certain TSPs highlighted the fact that all or a large portion of voice traffic is time-division multiplexing (TDM)-based and therefore technically incapable of supporting the STIR/SHAKEN framework. Other TSPs noted that they are in a transitory state, supporting both IP-based voice and TDM services, and that they are looking to implement STIR/SHAKEN after they move to a fully IP-based environment.
  4. Some TSPs expressed the view that the penetration of STIR/SHAKEN will be low due to (i) the high penetration of TDM trunking; (ii) the low penetration of session initiation protocol (SIP) trunking; and (iii) the low level of industry readiness, partially due to the high costs of the transition from legacy to IP-based networks. 
  5. ResellersFootnote 5 indicated that their role in supporting STIR/SHAKEN is unclear. Further, most Canadian resellers are interconnected via TDM facilities and are therefore unable to interface with the underlying IP (SIP) protocol. Resellers that have IP-based voice facilities connected to their host carrier indicated that they were awaiting details from their hosts on how STIR/SHAKEN technology could be supported. Additionally, resellers were concerned about being competitively disadvantaged.
  6. The NTWG noted other considerations that were identified in the first status report and that remain, such as a need to clarify the target deployment architecture and the architecture of call streams in order to determine (i) which cases are to be authenticated and verified (e.g. network-to-network calls or device-to-device calls), (ii) display standards, and (iii) the treatment of unverified and unauthenticated calls.

Equipment testing

  1. The NTWG indicated that of the TSPs that submitted status reports, only one completed testing with the ATIS test bed. Three more TSPs reported being in various stages of setup or in the initial phases of testing. One TSP mentioned that local testing was successful, but that no testing had been done with other carriers.
  2. TSPs raised the following common areas of concern:
    • a lack of vendor-compliant platforms;
    • lack of a GA;
    • little or no SIP traffic, resulting in no way to test the SIP-based STIR/SHAKEN functionality; and
    • lack of a Canadian test bed for data sovereignty and privacy reasons.

Status of authentication/verification standards

  1. The NTWG indicated that industry efforts on caller ID authentication have been focused on the STIR/SHAKEN framework for the implementation of STIR in IP-based TSP networks. It is expected that there will be changes and extensions to the set of requirements to support initial, interoperable, IP-based implementations of caller ID authentication as industry participants progress towards implementation and begin to benefit from firsthand operational experience.
  2. Regarding the use of STIR/SHAKEN in TDM-based networks, the NTWG indicated that extensive analysis had been done that identified various challenges and limitations, resulting in a potential lack of trust in the framework.
  3. The NTWG added that ATIS is continuing work to enhance the STIR/SHAKEN framework and enable an authorized TSP to delegate authority for a subset of its telephone numbers to another entity. This work remains of particular interest to the NTWG given the similar commercial arrangements (e.g. between carriers and IP-based voice resellers) in Canada.

Canadian-specific requirements

  1. The NTWG noted that it has not identified any Canadian-specific requirements for caller ID authentication beyond those that have already been defined or that are already being considered. The NTWG added that it intends to continue monitoring standardization efforts and providing status updates in future reports.

Commission’s analysis and determinations

Overview

  1. The STIR/SHAKEN framework is presently the only viable authentication/verification solution that can provide consumers with a measure of additional trust in caller ID. The Commission considers that this framework will increase the effectiveness of other measures taken to combat nuisance calls, such as an industry-wide call traceback process, opt-in call filtering solutions, and network-level blocking of nuisance calls with blatantly illegitimate caller ID.

Lack of IP-based voice interconnections

  1. The Commission considers that efficient deployment of the STIR/SHAKEN framework within Canadian networks requires SIP end-to-end connectivity. As noted above, however, most TSPs currently rely on TDM interconnections (either primarily or exclusively), which are not compatible with the STIR/SHAKEN framework. The Commission recognizes that it is not possible to deploy STIR/SHAKEN on legacy circuit-switched networks at this time given that the associated equipment is no longer vendor supported. However, the Commission considers this to be a diminishing concern, since
    • ILECs are migrating their networks to IP-based technologies;
    • circuit-switched mobile networks are converting to voice over long-term evolution (VoLTE), which is dependent on an IP-based core;
    • almost all cable and competitive local exchange carrier networks are already IP-based or will soon be; and
    • many TSPs already exchange traffic over IP interconnections.
  2. Given that TSPs will continue to use non-IP-based networks for some time, at least in part, they may wish to explore, even temporarily, non-IP-based solutions that will extend the benefits of STIR/SHAKEN to legacy circuit-switched and other non-IP-based networks, as well as to the associated handsets.

Canadian GA and CA(s)

  1. In Compliance and Enforcement and Telecom Decision 2019-403, the Commission approved the establishment of the Canadian Secure Token Governance Authority (CSTGA) as a GA to support the implementation of the STIR/SHAKEN framework in Canada. The Commission requested that the CSTGA select a PA and one or more CAs.

STIR/SHAKEN standards development

  1. Regarding the concerns TSPs raised about the state of the STIR/SHAKEN standards, the Commission recognizes that not all of the standards are ready for deployment, with some standards still under development and others subject to improvement.
  2. The Commission expects TSPs to (i) collaborate with CISC and the CSTGA on the development of these standards, and (ii) continue to be actively involved in this development and the equipment testing based on these standards to ensure that unique Canadian requirements are incorporated.

Implementation deadline for TSPs

  1. The Commission notes that full deployment of the STIR/SHAKEN framework in the United States is expected to be completed by the end of 2019. The Commission considers that after that time, the key issues noted above that have impeded implementation thus far should have been resolved. These key issues include the availability of compliant vendor platforms, finalization of standards, equipment testing, and the establishment of a certificate issuing authority in Canada.
  2. Accordingly, the Commission expects that Canadian TSPs should be able to begin testing under the STIR/SHAKEN framework by June 2020, in collaboration with CISC and the CSTGA. TSPs should provide an overview of their testing results in their individual progress reports to CISC.
  3. Accordingly, the Commission concludes that TSPs should be able to complete the implementation of the STIR/SHAKEN framework in Canada to authenticate and verify caller ID information for IP-based voice calls by no later than 30 September 2020. TSPs that are not able to meet this deadline should file a submission with the Commission providing an explanation and supporting evidence. The Commission notes that concurrent with this decision, it is issuing a notice of consultation in which it is inviting comments on its proposal to require TSPs to implement the STIR/SHAKEN framework as a condition of offering and providing telecommunications services pursuant to sections 24 and 24.1 of the Telecommunications Act, effective 30 September 2020.

Status reports

  1. The Commission requests that each TSP submit an action plan to it by 24 February 2020 providing the following information:
    • the status of the TSP’s STIR/SHAKEN implementation (e.g. IP migration, equipment readiness, testing, limitations, and other related matters); and
    • the steps that will be undertaken, including a mitigation plan, to address the issues raised in this decision and to ensure that the STIR/SHAKEN framework is effective and fully operational in Canada by 30 September 2020.
  2. Consistent with its determinations set out in CETD 2018-32, the Commission also requests that each TSP submit to CISC by 29 June 2020, a report on their efforts and progress in implementing authentication/verification measures for caller ID. The Commission also requests that CISC submit to it a consolidated industry progress report to it by 28 September 2020.
  3. The TSP and CISC reports are to include the following information:
    • the status of TSPs’ readiness in terms of network changes, if any;
    • the status and results of equipment testing and participation in those tests;
    • statistics identifying the following:
    • the percentage of authentication/verification-enabled trunks used for IP voice traffic out of the total number of voice trunks,
    • the percentage by month of the number of authenticated/verified voice calls out of the total number of voice calls,
    • tracking by level of authentication (i.e. trusted, partial trust, or no trust) for calls delivered to customers; and
    • a mitigation plan to ensure that a STIR/SHAKEN framework will be fully complete and operational in Canada by 30 September 2020.
  4. In addition, the CISC report should include the following:
    • the status of authentication/verification standards and their subordinate standards, as well as any other related standards; and
    • identification of Canadian-specific requirements and the efforts that are being made to incorporate these requirements into the appropriate standards.
  5. Finally, the Commission requests that each TSP submit an implementation report to it by 24 February 2020 providing a short overview of STIR/SHAKEN implementation, including the following information:
    • the status and results of the STIR/SHAKEN implementation;
    • the percentage of authentication/verification-enabled trunks used for IP voice traffic out of the total number of voice trunks;
    • tracking by level of authentication (i.e. trusted, partial trust, or no trust) for calls delivered to customers; and
    • technical and economic limitations.

Secretary General

Related documents

Date modified: