Telecom Secretary General Letter addressed to Diane Dolan (CISC BPWG)
Ottawa, 27 June 2023
Our reference: 8621-C12-01/08
BY E-MAIL
Diane Dolan
Chair, CISC BPWG
ddolan@teksavvy.ca
RE: Extension Request for Telecom Decision 2022-264:Footnote1 Migrations to TLS 1.3 for AS2
Dear Diane Dolan:
In Telecom Decision 2022-264, the Commission approved the CRTC Interconnection Steering Committee Business Process Working Group’s (BPWG’s) consensus Task Identification Form report BPRE096b, and the updated Canadian Data Interchange Guideline, and directed telecommunications service providers (TSPs) to migrate to the use of Transport Layer Security (TLS) 1.3 from 1.2 for exchanging data over Application Statement 2 links by 30 June 2023.
On 12 June 2023, the Commission received a request from the BPWG to allow all service providers to continue operating at the TLS 1.2 level upon mutual agreement with their trading partnersFootnote2 until 30 September 2023.
The BPWG indicated that, while the Commission staff’s letter of 25 May 2023 to certain trading partners that were either not ready to test TLS 1.3 or not responding to scheduling requests did help increase the responses, the 30 June 2023 deadline will not be met by some members of industry.
The BPWG submitted that if one service provider is not ready by 30 June 2023, all industry trading partners will be impacted because the Decision prohibits them from exchanging transactions using TLS 1.2 after that date, even though it would be technically feasible to do so. For example, a service provider may be fully capable of TLS 1.3 but will not be able to port a numberFootnote3 in from another carrier who has not migrated to TLS 1.3, because conducting transactions using TLS 1.2 after 30 June 2023 would not comply with Telecom Decision 2022-264. The TLS 1.3-capable service provider would be harmed because although it would be in compliance with the Decision by fully migrating to TLS 1.3, it could lose a customer from not being able to complete the TLS 1.2 transaction. Further, customer choice would be impaired by compliant TLS 1.3 service providers being unable to interface with non-compliant TLS 1.2 service providers. Similarly, directory updates, settlement of billing and collection charges and selection of an alternate long-distance provider would all have to be suspended if they involve a service provider that has not yet migrated to TLS 1.3.
The BPWG also submitted that mutual agreement to operate at TLS 1.2 level is required between trading partners because some members of the industry will no longer be able to operate at the TLS 1.2 level after TLS 1.3 implementation, while others can operate at both levels. The BPWG indicated that it expected that TLS 1.3 testing in June will be prioritized with those trading partners who will only be able to support TLS 1.3.
In Telecom Decision 2022-264, the Commission indicated that the migration to TLS 1.3 is necessary because the TLS 1.2 standard has been compromised and made obsolete; in comparison, TLS 1.3’s improved encryption and algorithm measures have updated and strengthened its encryption security. Further, that Decision was issued on 26 September 2022 and clearly outlined the timeframes for the migration to TLS 1.3 with the requirement to complete the process by 30 June 2023. However, the Commission recognizes that an extension in these circumstances is necessary to ensure the continued exchange of information as the industry works to complete the widespread migration to TLS 1.3.
Accordingly, the Commission approves the extension and directs TSPs to migrate to the use of TLS 1.3 for exchanging data over AS2 links by 30 September 2023.
While the Commission is granting this extension, the Commission notes the negative impact that failure to transition by a few companies is having on the entire telecommunications system. The Commission encourages TSPs to work actively and diligently with all trading partners to ensure that the migration is completed by 30 September 2023. If companies do not complete the migration by that date, as directed by the Commission, the Commission will explore using all tools available to it, up to and including administrative monetary penalties (AMPs), to ensure that the remaining companies comply with the Commission’s direction.
Yours sincerely,
Original signed by
Claude Doucet
Secretary General
cc: Michel Murray, CRTC, michel.murray@crtc.gc.ca
Christine Brock, CRTC, christine.brock@crtc.gc.ca
Julie Boisvert, CRTC, julie.boisvert@crtc.gc.ca
- Date modified: