Compliance and Enforcement and Telecom Decision CRTC 2019-403
Ottawa, 9 December 2019
Public record: 8665-C12-201507576
Establishment of the Canadian Secure Token Governance Authority
The Commission approves the establishment of the Canadian Secure Token Governance Authority (CSTGA) as Governance Authority as part of the deployment of the STIR [Secure Telephony Identity Revisited]/SHAKEN [Signature-based Handling of Asserted information using toKENs] framework in Canada. The Commission requests that the CSTGA submit to it a progress report every six months as of the date of this decision until the STIR/SHAKEN framework is fully implemented in Canada.
The Commission expects (i) a Policy Administrator and one or more Certificate Authorities to be established to ensure the successful and effective deployment of STIR/SHAKEN in Canada; (ii) the CSTGA to participate in CRTC Interconnection Steering Committee (CISC) discussions regarding STIR/SHAKEN deployment; and (iii) close collaboration between the CSTGA and telecommunications service providers.
- In Compliance and Enforcement and Telecom Decision 2018-32 (CETD 2018-32), the Commission examined measures to reduce caller identification (ID) spoofingFootnote 1 and determine the origins of nuisance calls.Footnote 2 The Commission, among other things, determined that authentication and verification of caller ID information for Internet Protocol (IP)-based voice calls should be implemented by Canadian telecommunications service providers (TSPs), by no later than 31 March 2019, to empower Canadians to better protect themselves against nuisance calls.
- The Commission also noted that the Internet Engineering Task Force (IETF)Footnote 3 has developed a technical standard, referred to as STIR [Secure Telephony Identity Revisited], which would provide a means for call-originating TSPs to certify the identity of callers, thus enabling the caller’s identity to be validated. In conjunction with STIR, the Alliance for Telecommunications Industry Solutions (ATIS)Footnote 4 has developed a framework, referred to as SHAKEN [Signature-based Handling of Asserted information using toKENs] (see ATIS-1000080), for the implementation of STIR in IP-based service providers’ networks.
- Under the STIR/SHAKEN framework, TSPs certify the extent to which a given caller’s identity can be trusted. This information is transmitted using “tokens” and is used by the called party, or their TSP, to verify the authenticity of the caller ID (i.e. to determine the extent to which the caller ID can be trusted). This process is dependent upon one or more Certificate Authorities (CAs) administering and issuing certificates to TSPs.
- To ensure the effective use of these certificates, the STIR/SHAKEN framework is managed by the following authorities:
- a Governance Authority (GA), which will ensure the integrity of the issuance, management, security, and use of certificates issued in compliance with the SHAKEN specification;
- a Policy Administrator (PA), which is selected by the GA and is responsible for applying the rules defined by the GA, including ensuring that CAs implement appropriate certificate management practices and that certificates are issued only to authorized TSPs. The PA is the administrator and primary trust anchor of the system; and
- CAs, which issue certificates to validated TSPs.
- In September 2018, ATIS announced the formal launch in the United States of the Secure Telephone Identity Governance Authority (STI-GA), which monitors deployment progress and operational experience in the SHAKEN ecosystem, identifies emerging issues, and analyzes these issues so that STIR/SHAKEN remains effective at mitigating unwanted robocalls. The STI-GA also selects the PA (the STI-PA): on 30 May 2019, iconectiv was announced as the United States STI-PA.
- In CETD 2018-32, the Commission noted that the Canadian telecommunications industry has successfully established consortia and other governing bodies to accomplish similar goals, and that the industry is therefore well placed to establish a Canadian Certificate Administrator (CCA) that would issue and administer certificates for the authentication and verification of IP-based voice calls in support of STIR/SHAKEN. The Commission stated that it expected a CCA to be established by 31 March 2019.
Establishment of the CSGTA
- Bell Canada; Bragg Communications Incorporated, carrying on business as Eastlink; Rogers Communications Canada Inc.; Saskatchewan Telecommunications; Shaw Communications Inc.; TELUS Communications Inc.; and Videotron Ltd. (collectively, the Founders), together with the Canadian LNP Consortium Inc. (CLNPC)Footnote 5 and an international law firm, filed in confidence a proposal, dated 18 April 2019 (they subsequently filed an abridged version dated 10 May 2019), to establish the Canadian Secure Token Governance Authority (CSTGA) as the proposed GA under the STIR/SHAKEN framework in Canada.
- In the proposal, the CLNPC indicated that certain telecommunications carriers that are shareholders in the CLNPC asked CLNPC management to assess whether it would be appropriate for the CLNPC to assume the role of CCA on behalf of the industry. CLNPC management concluded that for the reasons listed below, the CLNPC should take the necessary steps to become the CCA:
- CLNPC shareholders represent all incumbent local exchange carriers (ILECs), competitive local exchange carriers (CLECs), and wireless service providers (WSPs) in Canada.
- The CLNPC has the management experience and expertise to support the carriers in the establishment and management of the CCA.
- The CCA would benefit from sharing resources with the CLNPC, which would permit the carriers to implement the CCA in a cost-effective manner.
- The CLNPC indicated the following milestones:
- In August 2018, the Founders proposed to incorporate the CCA as a separate entity, 10849448 Canada Inc. (10849448) with the CLNPC, through a Shared Services Agreement (SSA).
- In October 2018, 10849448 invited parties interested in the establishment of the CCA to an online meeting to provide information and seek input. 10849448 subsequently filed a progress report with Commission staff.
- In their December 2018 response, Commission staff noted the wide industry acceptance of the CLNPC’s efforts to support STIR/SHAKEN and requested that 10849448 provide the legal documents establishing the GA and an explanation of how the functions of PA and CA will be performed.
- In February 2019, 10849448 filed an amendment to its articles of incorporation renaming the corporation “CSTGA” to better reflect the nature of its business.
- The CLNPC indicated that CSTGA management have closely followed and reviewed all the documentation available regarding the establishment of a governance model in Canada similar to that in the United States. The CLNPC clarified that the CSTGA has established a working relationship with the United States STI-GA and has become a member of ATIS in order to fully participate in the ongoing development of STIR/SHAKEN standards.
- The CLNPC added that representatives of the Founders, with the support of outside expertise, have reviewed the ATIS documentation and developed a Canadian Technical Requirements Document. They have also developed a vendor selection checklist to take on the roles of PA and CA(s), and have begun documenting additional future requirements.
- The CLNPC noted that in CRTC Interconnection Steering Committee (CISC) Network Working Group (NTWG) Report NTRE0065, many carriers identified a lack of governance framework and clarity on which TSPs would obtain certificates and authenticate calls, preventing them from fully implementing a call authentication scheme.
Actual and projected costs
- The CLNPC explained that the Founders contributed to a start-up fund of $250,000, on the basis of their respective total network access services (NAS) and mobile wireless service subscribers. Expenses have included costs for legal, management, technical, and administrative support. Start-up funds are exhausted and there will be a small deficit as of 30 April 2019.
- The CLNPC added that projected costs are based solely on the CSTGA’s best efforts to project requirements and related costs. Further, these projections are exclusive of any funding required to support the services delivered by the PA and/or the CA(s), as well as any funding that has been or will be required to support individual carriers’ networks. The CSTGA estimated that approximately $480,000 will be required to implement the vendors in their roles and that annual operating expenses will be approximately $325,000 post implementation.
Unanimous Shareholders Agreement
- The CLNPC attached a confidential version of the draft Unanimous Shareholders Agreement to the proposal. The Founders agreed on the following:
- Shareholders will be ILECs, CLECs, and WSPs that are registered with the Commission and in compliance with Commission regulations.
- The ongoing business of the CSTGA will be funded through an Administrative Services Agreement.
- Funding will be allocated on the basis of total NAS and mobile wireless service subscribers as reported in the Commission’s annual Data Collection Survey.
- The Founders questioned whether shareholders should be required and/or directed by the Commission to participate in the regime, or have the option to participate.
Commission’s analysis and determinations
- The Commission considers that the establishment of a GA is necessary for the effective and successful deployment of the STIR/SHAKEN framework in Canada. A Canadian GA will identify emerging issues and initiate analysis of these issues so that the STIR/SHAKEN framework remains effective at mitigating unwanted calls.
- The CLNPC is the only entity that took initiative and submitted a proposal to the Commission to take action towards fulfilling the role of CCA, as the Commission requested in CETD 2018-32. As well, no party filed any objection to the CLNPC’s proposal.
- The Commission considers that the CLNPC’s efforts are a positive step towards establishing a system for consumers and businesses to obtain accurate information about the origins of the nuisance calls they receive. The Commission also notes the wide industry acceptance of the CLNPC’s efforts taken to date.
- The CSTGA represents the carriers, whose customers consist of the vast majority of Canadian consumers, and its shareholders represent ILECs, CLECs, and WSPs in Canada. As well, the CLNPC has the management experience and expertise to provide support to the carriers in the establishment and management of the CCA. As a result, the CCA would benefit from sharing resources with the CLNPC, enabling the carriers to implement the CCA in a cost-effective manner.
- Accordingly, the Commission approves the CSTGA’s role as the GA in Canada.
Selection of a PA and one or more CAs
- The GA should select a PA, which will be responsible for applying the rules defined by the GA, and one or more CAs, which will be responsible for implementing appropriate certificate management practices and issuing certificates only to authorized TSPs. The Commission considers that the CSTGA is on track to select these entities in the coming months.
- In CETD 2018-32, the Commission determined that the telecommunications industry should establish a CCA. Accordingly, the CSTGA should involve Canadian TSPs in its activities and share its work plan with TSPs to efficiently implement the STIR/SHAKEN framework in Canada.
Collaboration between the CSTGA and CISC
- The Commission considers that collaboration between the CSTGA and the NTWG will help both entities address issues related to STIR/SHAKEN deployment and certification. The Commission therefore expects the CSTGA to participate in CISC discussions regarding the deployment of the STIR/SHAKEN framework in Canada and to address any issues related to certification. The Commission also expects Canadian TSPs to collaborate with the CSTGA to accelerate the deployment of the STIR/SHAKEN framework in Canada.
- The Commission considers that regular funding from the telecommunications industry is essential to enable the CSTGA to provide efficient certification services to Canadian TSPs over the long term, and to allow for the effective deployment of STIR/SHAKEN.
- In light of all the above, the Commission approves the establishment of the CSTGA as GA and requests that the CSTGA submit a progress report every six months, as of the date of this decision, until the STIR/SHAKEN framework is fully implemented in Canada. The report should provide an update on the following matters:
- the selection results of a PA and one or more CAs;
- an overview of the activities of the GA, the PA, the CA(s), and the overall certification process to ensure the long-term viability of the STIR/SHAKEN framework; and
- identification of issues and how these issues are being resolved within the appropriate industry forums (e.g. the NTWG or ATIS).
- The Commission also expects the following:
- a PA and one or more CAs to be established to ensure the successful and effective deployment of STIR/SHAKEN in Canada;
- the CSTGA to participate in CISC discussions regarding STIR/SHAKEN deployment and to address any issues related to certification to ensure a full STIR/SHAKEN implementation in Canada by 30 September 2020, as the Commission determined in Compliance and Enforcement and Telecom Decision 2019-402; and
- close collaboration between the CSTGA and TSPs.
- CISC Network Working Group – Status of implementation by telecommunications service providers of authentication/verification measures for caller identification, Compliance and Enforcement and Telecom Decision 2019-402, 9 December 2019
- Measures to reduce caller identification spoofing and to determine the origins of nuisance calls, Compliance and Enforcement and Telecom Decision CRTC 2018-32, 25 January 2018; as amended by Compliance and Enforcement and Telecom Decisions CRTC 2018-32-1, 24 October 2018; and 2018-32-2, 18 December 2018
- Date modified: