Compliance and Enforcement and Telecom Decision CRTC 2021-267

PDF version

Ottawa, 5 August 2021

Public record: 8638-M75-202008953

Mitel Networks Corporation – Application requesting the Commission to instruct the Canadian Secure Token Governance Authority to allow all telecommunications service providers to receive a STIR/SHAKEN certificate

The Commission determines that the denial of access to secure telephony certificates to all telecommunications service providers (TSPs) that do not have direct access to numbering resources is neither necessary nor appropriate, and that such access should only be denied where there is reason to believe a TSP cannot be trusted to maintain the integrity of the STIR/SHAKEN framework. Accordingly, the Commission expects the Canadian Secure Token Governance Authority to create, in collaboration with currently ineligible TSPs and within 60 days of the date of this decision, eligibility requirements that reflect the Commission’s determinations in this decision.

Introduction

1. In Compliance and Enforcement and Telecom Decision 2018-32, the Commission determined that telecommunications service providers (TSPs) should implement the STIR/SHAKEN^{Footnote 1} framework on the Internet Protocol (IP) voice portion of their networks in an effort to reduce caller identification (caller ID) spoofing. In Compliance and Telecom Decision 2019-402-2, the Commission set the implementation date at 30 June 2021. In Compliance and Enforcement and Telecom Decision 2021-123, the Commission imposed the obligation on all TSPs to implement the STIR/SHAKEN framework as a condition of offering and providing telecommunications services pursuant to sections 24 and 24.1 of the Telecommunications Act (the Act) with an effective date of 30 November 2021.
2. In Compliance and Enforcement and Telecom Decision 2019-403, the Commission approved the creation of the Canadian Secure Token Governance Authority (CST-GA) as part of the governance framework necessary for the implementation of STIR/SHAKEN. The CST-GA is responsible for managing the secure telephone identity (STI) certificates that TSPs use to digitally sign call authentications. Following the model defined by the Alliance for Telecommunications Industry Solutions (ATIS),^{Footnote 2} the governance framework also includes a policy administrator, which is selected by the governance authority and responsible for applying its rules; and a certificate authority (CA), which issues STI certificates. 
3. The CST-GA has established criteria for TSPs’ to become shareholders of the CST-GA and obtain STI certificates,^{Footnote 3} under which only TSPs that have direct access to Canadian numbering resources from the Canadian Numbering Administrator (CNA) [eligible TSPs] have access to STI certificates.
4. Consequently, TSPs that obtain numbers from a telephone number service provider (TNSP) rather than from the CNA (non-eligible TSPs) cannot perform STIR/SHAKEN authentication of the calls that originate from their networks. Calls originating from non-eligible TSPs would only be authenticated when they reach an eligible TSP, which, because it would not have a direct relationship with the caller, could not assign those calls the highest level of authentication.
5. As defined by ATIS,^{Footnote 4} there are three levels of attestation that can be attributed to calls. With full attestation (level A) the calling party is authenticated and is authorized to use the calling number. With partial attestation (level B) the origin of the call is authenticated, but not the authorization of the caller to use the calling number. With gateway attestation (level C) a TSP can authenticate where on its network it received the call, but cannot authenticate its source. A call originating from a non-eligible TSP would likely only be given level B or level C attestation.
6. The CST-GA and the Network Working Group of the CRTC Interconnection Steering Committee (CISC) are currently exploring ways to insure that calls originating from non-eligible TSPs are properly authenticated.  
7. One proposed solution is the delegate certificate standard developed by ATIS.^{Footnote 5} With this solution, a non-eligible TSP would be able to obtain a delegate certificate, valid for a specific telephone number, from the TNSP from which it purchased that number.^{Footnote 6}

Application

8. On 21 December 2020, Mitel Networks Corporation (Mitel) filed an application in which it requested the Commission to instruct the CST-GA to allow all TSPs to be able to receive STI certificates directly from the CST-GA.
9. Mitel is a reseller of telecommunications services and does not have direct access to numbering resources. Consequently, Mitel is not eligible for access to STI certificates.
10. Mitel noted that the Commission has required all TSPs to implement STIR/SHAKEN, yet the eligibility conditions set by the CST-GA prevent Mitel and other non-eligible TSPs from complying with the condition in an effective manner, or at all, resulting in a less efficient implementation of STIR/SHAKEN.
11. Regarding the proposed delegate certificate standard, Mitel identified three main problems. First, the standard as currently defined would result in thousands of ever-changing delegate certificates from multiple TNSPs. Second, there is no mandated timeline for the implementation of delegate certificates by TNSPs, so it is unclear how many TNSPs would implement support for delegate certificates, or when they would do so, or at what cost. Third, use of delegate certificates would reduce options for cost effective, high quality and highly available call termination services, because non-eligible TSPs would be required to send all of their originating calls to those carriers that support delegation relationships.
12. Mitel stated that it understands that the current CA is actively promoting the delegate authority solution as a revenue source for TSPs.
13. Mitel pointed out that as yet no meaningful work has been done to find alternative solutions, and no standards have been published. As a result, Mitel maintains that non-eligible TSPs will be at a serious competitive disadvantage with eligible TSPs, as they would only have the choice between limited and costly access to delegate certificates or a lower attestation level for calls that originate from their networks.
14. Mitel submitted that to allow all Canadian TSPs to become members of the CST-GA would improve governance because its decisions would be reflective of the entire industry, and that the inclusion of additional TSPs would spread the cost of governance more evenly.
15. Mitel noted that the CST-GA’s decision regarding eligibility was likely made in an effort to design a model similar to the model in the United States given the integrated nature of the North American phone network. However, eligibility has been extended in that country, and Mitel sees no reasons why a similar extension should not be granted to Canadian TSPs.
16. The Commission received interventions from Bell Canada; The Canadian Voice Peering Project; the Competitive Network Operators of Canada; Distributel Communications Limited (Distributel); Internet Society, Canada Chapter (ISCC); a joint intervention from Microsoft Corporation, RingCentral Inc. and 8X8 Inc. (Microsoft et al.); Mr. Marc Nanni; Rogers Communications Canada Inc. (RCCI); Saskatchewan Telecommunications (SaskTel); Shaw Communications Inc. (Shaw); TekSavvy Solutions Inc. (TekSavvy); and TELUS Communications Inc. (TCI).

Should the Commission instruct the CST-GA to allow all TSPs to be able to receive STI certificates directly from the CST-GA?

Positions of parties

Microsoft et al

17. Microsoft et al. reiterated Mitel’s arguments, and further noted that the CST-GA has not provided any technical or policy reasons to exclude certain providers. Microsoft et al. explained that, from a technical point of view, nothing prevents non-eligible TSPs from authenticating and signing calls originating on their networks. Microsoft et al. thus consider that denying non-eligible TSPs access to STI certificates violates the principles of competitive neutrality and promotion of competition that underlie both the 2006 and 2019 policy directions.
18. Based on their experience in the deployment of STIR/SHAKEN in the United States, Microsoft et al. submitted that the removal of the eligibility requirement of direct access to telephone numbers for access to STI certificates in that country has resulted in a framework that is more transparent, participatory and competitive, because different types of TSPs are allowed to participate in governance activities.
19. Microsoft et al. proposed that access to STI certificates should be extended to TSPs who (i) are registered with the Commission as authorized providers of local voice services; (ii) are licensed by the Commission to provide basic international telecommunications services that originate in or terminate in Canada; and (iii) assign telephone numbers to subscribers in Canada, whether obtained directly or through intermediaries.

ISCC

20. Concerning fair competition, ISCC noted that TSPs terminating calls might treat calls that originate from non-eligible TSPs more suspiciously than calls from eligible TSPs because they would have only level B or level C attestation. ISCC considers that there is a risk that this situation may motivate customers to move their business to a TSP that can provide level A attestation, resulting in a two-tiered telecommunications system in Canada, with TSPs that can authenticate calls and TSPs that cannot.
21. ISCC noted that, because smaller TSPs are generally interconnected via IP to upstream carriers, they are in the best position to implement the STIR/SHAKEN framework, and yet the CST-GA certificate issuance policy excludes them from that process.

TekSavvy

22. TekSavvy, an eligible TSP, supported Mitel’s application, indicating that the delegate certificate solution is insufficient to address the concerns of voice service resellers.

TCI and SaskTel

23. TCI did not object to the proposal that TSPs without direct access to telephone numbers should have access to STI certificates, but considered that additional Commission scrutiny of any TSP with such access is required in order to prevent abuse of STIR/SHAKEN. TCI considered that a caller’s TSP is in the best position to attest to the validity of the caller ID transmitted and must be accountable for the attestation provided, and that the delegate certificate solution has shortcomings in this regard. It submitted that, for STIR/SHAKEN to achieve its potential, all TSPs must be accountable for their own certifications and no TSP should be expected to certify calls on behalf of another. In this respect, TCI agreed with Mitel that TSPs should be able to obtain their own certificates, subject to conditions that would ensure the integrity of the system.
24. However, TCI strongly objected to the suggestion that the CST-GA is acting out of self-interest. It stated that the limited initial membership was a reflection of the need to make decisions quickly, even though a broader membership would have spread the financial burden to others.
25. SaskTel saw some merit in Mitel’s application, but requested that it be put in abeyance at this time and suggested that the Commission direct parties to resolve outstanding matters such as governance, operating requirements, standards, and the penalties, enforcement mechanisms and consequences for allowing unverified traffic.
26. Neither TCI nor SaskTel were opposed to the non-eligible TSPs having access to STI certificates at some point, but submitted that this access should be provided in the context of their participation in the overall framework for STIR/SHAKEN implementation and operations, which has yet to be developed by the CST-GA and approved by the Commission.

Shaw, Bell Canada and RCCI

27. Shaw, Bell Canada and RCCI opposed Mitel’s application. All those TSPs that did not support Mitel’s request (the opposing TSPs) invoked substantially the same arguments to support their positions.
28. The opposing TSPs submitted that Mitel’s application is premature, and invited Mitel instead to participate more actively in the STIR/SHAKEN development process. They, like Mitel, pointed out that the standards, mechanisms and policies for the integration of non-eligible TSPs are under elaboration, but they considered this a normal part of the development of the STIR/SHAKEN framework. They submitted that granting Mitel’s request would impair the CST-GA’s ability to establish an appropriate framework and would disrupt the orderly development of STIR/SHAKEN. They stated that efforts should be concentrated toward the establishment of a sound foundation on which additional capabilities can be built, such as granting resellers direct access to STI certificates.
29. The opposing TSPs insisted that a proper process for the integration of all types of TSPs in the STIR/SHAKEN framework is essential. For the STIR/SHAKEN framework to achieve its objectives, only entities that can be trusted to adhere to the STIR/SHAKEN rules and guidelines should be authorized to authenticate calls.
30. RCCI, together with TCI, noted the risk of abuse of the STIR/SHAKEN system by ineligible TSPs. While it did not oppose the application, TCI noted that some TSPs might have an incentive to provide level A attestation even when they cannot verify that the caller has a right to use the caller ID presented, because customers may otherwise fear that their calls will not be answered, and that this would pose a serious risk to the integrity of the STIR/SHAKEN framework. Both TCI and RCCI argued that such risk of abuse could come from ineligible TSPs, and that a TSP that abused the system in this manner could easily reappear under a new name. They maintained that such a risk is serious, particularly in an environment in which virtual cloud-based networks can be operated by TSPs that have no physical assets in Canada, in contrast to currently eligible TSPs that cannot easily change their identities to avoid accountability.
31. RCCI noted the Commission’s observation, in Compliance and Enforcement and Telecom Decision 2018-32, that spoofed calls originate primarily from Voice over Internet Protocol (VoIP) services. RCCI noted that the entire industry must deploy STIR/SHAKEN to disrupt such calls, and that relaxing the eligibility criteria would undermine the security of STIR/SHAKEN, which is intended to restore Canadians’ trust in caller ID information, because scammers would then have the capability of flooding the Canadian public switched telephone network with nuisance or fraudulent calls that have spoofed telephone numbers with STIR/SHAKEN attestation.
32. The opposing TSPs were of the opinion that Mitel exaggerated the harm that the present access policy would cause to non-eligible TSPs. They explained that, when STIR/SHAKEN is initially deployed, only a small portion of calls, including those that originate from TSPs with access to STI certificates, will receive level A attestation, and only a small number of customers’ phones will be able to display STIR/SHAKEN information.
33. With regard to Mitel’s concerns about the availability and cost of delegate certificates, Shaw submitted that, given the large number of TSPs without direct access to telephone numbers, the industry will not ignore their needs. RCCI added that there will be ample competition among delegate certificate providers to ensure affordable prices. RCCI and Shaw also pointed out that eligible TSPs have already made significant investments in the implementation of STIR/SHAKEN, and that all TSPs should expect to incur some of the associated costs, for instance through the acquisition and administration of delegate certificates.
34. RCCI suggested that Mitel could take the steps to qualify as a competitive local exchange carrier (CLEC), which would in turn qualify it to receive STI certificates.

Distributel

35. Distributel did not take a position on Mitel’s application, but asked that the Commission issue its determination as quickly as possible given that it will impact the manner in which TSPs implement STIR/SHAKEN.

Mitel’s reply

36. Mitel objected to RCCI’s suggestion that to allow TSPs without Canadian facilities to have direct access to STI certificates would defeat STIR/SHAKEN security measures. Mitel noted that any TSP that gives improper attestations can have its certificate revoked or be otherwise sanctioned; moreover, it is just as possible for a large carrier to improperly certify calls as it is for a local VoIP provider. Furthermore, Mitel noted that several non-eligible TSPs would have far greater market capitalization and business revenues at stake if they break Commission rules than many of the eligible TSPs.
37. Mitel further submitted that to judge the reliability or trustworthiness of a TSP based on the type of service it provides, as RCCI suggested, is inappropriate. Mitel agreed with TCI that the more TSPs there are that participate directly in STIR/SHAKEN, the better it will work. More participation will facilitate the tracing of calls when there is malicious behavior; exclusionary policies will increase the likelihood of nuisance calls, which will weaken the public’s faith in the system.
38. Mitel submitted that it is not opposed to the imposition of conditions on TSPs’ direct participation in STIR/SHAKEN provided that such conditions are applied equally to all TSPs. Mitel supported the three conditions for direct participation that were proposed by Microsoft et al.
39. Mitel rejected RCCI’s suggestion that, because Mitel has the option to become a CLEC and thereby gain access to STI certificates, a Commission determination is not needed.
40. Mitel also rejected the argument by opposing TSPs that the application is premature. It stated that it has tried to discuss the matter with the CST-GA and exchanged correspondence to no avail. Further, to wait until the CST-GA has crafted new policies would be prejudicial to non-eligible TSPs.

Commission’s analysis and determinations

41. The Commission notes that, given the unsuccessful attempts by Mitel and others to resolve the matter through discussion with the CISC and the CST-GA, it appears unlikely that the industry will agree upon a solution. Given the high level of co-operation within the industry required for the successful deployment of STIR/SHAKEN, the Commission considers that it would be prudent to provide some guidance and facilitate a timely resolution of the matter.
42. The Commission notes that there is an incentive for all TSPs to work toward the deployment of delegate certificates, or an alternative solution, because local exchange carriers will need to authenticate outgoing calls from entities such as businesses and large organizations. However, unless the Commission provides specific guidance to the industry regarding the development of solutions that include non-eligible TSPs, it is unlikely that such solutions will be mature enough to ensure competitive fairness by the time they are needed.
43. The Commission considers that the CST-GA policy for access to STI certificates may result in some constraints for non-eligible TSPs in complying with the Commission’s requirement for all TSPs to implement STIR/SHAKEN, notwithstanding that TSPs are not all required to operationalize STIR/SHAKEN in the same manner. However, alternative options for implementing STIR/SHAKEN without direct access to certificates may have important limitations; they are not yet available, and their costs are unknown. In any event, the Commission considers that a policy that precludes an entire category of TSPs from direct access to STI certificates, based solely on the type of TSP, could result in a competitive advantage for those TSPs that do not have such access. The Commission notes that the CST-GA has not provided a justification for its access policy.
44. With regards to the observation that spoofed calls originate primarily from VoIP services,^{Footnote 7} and the fact that many of the non-eligible TSPs are offering such services, the Commission finds that it is not appropriate to judge the reliability or trustworthiness of a TSP based on the type of service or technology it provides.
45. No matter the origin of spoofed calls, the Commission is of the opinion that any size or type of TSP could improperly certify calls. Furthermore, because spoofing is most common on IP voice networks, STIR/SHAKEN was developed to address that issue and in fact applies only to IP calls. The Commission notes that enabling all TSPs to authenticate calls with an STI certificate would make the caller’s TSP directly accountable for attestation.
46. In addition, the Commission notes that the small number of IP voice trunks and interconnections currently found in Canadian telecommunications networks serve as a significant obstacle to an effective STIR/SHAKEN deployment. As such, the provision of access to STI certificates for TSPs that can generate IP-based traffic on the voice network would be beneficial to STIR/SHAKEN deployment, as long as TSPs maintain the integrity of the STIR/SHAKEN framework.
47. Regarding comparisons between the deployment of STIR/SHAKEN in the United States and in Canada, the Commission considers that, although the comparison may be informative, it is not directly applicable given the different regulatory frameworks in the two countries.
48. The Commission considers that the current CST-GA eligibility requirements for access to STI certificates could result in a competitive advantage to TSPs that have direct access to numbering resources from the CNA, and a corresponding competitive disadvantage to TSPs without such access, which has not been justified on the record of this proceeding.
49. Nevertheless, the Commission considers that eligibility requirements for access to STI certificates could be appropriate, to the extent that they are (i) necessary to maintain the integrity of the STIR/SHAKEN framework, and (ii) specifically crafted to achieve that objective. However, considering the lack of information specific to that issue on the record of this proceeding, the Commission is not in a position to address any such criteria at present.
50. The Commission considers that the ability to fully authenticate outgoing calls will become a competitive necessity when the treatment of authenticated calls, e.g., through display and filtering, is more advanced and widely available. However, because the implementation of STIR/SHAKEN is still in its early stages, the Commission considers that there is no urgency to extend access to STI certificates to all TSPs as of the date of this decision. Accordingly, the Commission considers that it would be appropriate to allow 60 days for the development of eligibility requirements that would allow all TSPs to obtain access to STI certificates, except in circumstances where it is reasonable to believe that the TSP cannot be trusted to maintain the integrity of the STIR/SHAKEN framework.

Conclusion

51. In light of all of the above, the Commission concludes that the current policy of excluding all TSPs that do not have direct access to numbering resources from access to STI certificates is neither necessary nor appropriate. Any eligibility requirements for access to STI certificates must be specifically tailored so that access to STI certificates would only be denied where it is reasonable to believe that the TSP cannot be trusted to maintain the integrity of the STIR/SHAKEN framework.
52. Furthermore, the Commission expects the CST-GA
    1. to develop, within 60 days, eligibility requirements that prevent access to STI certificates only for those TSPs that cannot be trusted to maintain the integrity of the STIR/SHAKEN framework; and
    2. to collaborate with non-eligible TSPs in the development of new eligibility criteria for access to STI certificates.

Policy Directions

53. The 2006 Policy Direction^{Footnote 8} states that the Commission, in exercising its powers and performing its duties under the Act, shall implement the policy objectives set out in section 7 of the Act in accordance with the considerations set out therein. The 2019 Policy Direction^{Footnote 9} states that the Commission should specify how its decisions can, as applicable, promote competition, affordability, consumer interests, and innovation.
54. The Commission considers that its determinations in the present decision, namely that the current eligibility requirements for TSPs to obtain access to STI certificates are not appropriate, and that any such eligibility requirements must be specifically tailored to exclude only those TSPs that cannot be trusted to maintain the integrity of the STIR/SHAKEN framework, will ensure a competitively neutral deployment of the STIR/SHAKEN framework and thus promote competition. Further, the Commission’s decision will promote consumer interests, because it will ensure a more efficient and effective deployment of the STIR/SHAKEN framework for the protection of Canadians from the harms of nuisance calls. Accordingly, the Commission considers that its decision advances the policy objectives set out in paragraphs 7(a), (c), (f), (g), (h), and (i) of the Act.^{Footnote 10}

Secretary General

Related documents

• STIR/SHAKEN Implementation for Internet Protocol-based voice calls, Compliance and Enforcement and Telecom Decision CRTC 2021-123, 6 April 2021
• Establishment of a Canadian Secure Token Governance Authority, Compliance and Enforcement and Telecom Decision CRTC 2019-403, 9 December 2019
• CISC Network Working Group – Status of implementation by telecommunications service providers of authentication/verification measures for caller identification, Compliance and Enforcement and Telecom Decision CRTC 2019-402, 9 December 2019; as amended by Compliance and Telecom Decision CRTC 2019-402-1, 13 December 2019; and Compliance and Enforcement and Telecom Decision CRTC 2019-402-2, 15 December 2020
• Measures to reduce call identification spoofing and to determine the origins of nuisance calls, Compliance and Enforcement and Telecom Decision CRTC 2018-32, 25 January 2018; as amended by Compliance and Enforcement and Telecom Decision CRTC 2018-32-1, 24 October 2018; and Compliance and Enforcement and Telecom Decision CRTC 2018-32-2, 18 December 2018

Date modified:

2021-08-05