Skip to content
Stopping Illegal Robocalls Where They Start

Attestation Inflation – The ABC’s of Signing Calls

Virtually all VoIP call originators are now REQUIRED to sign their calls — see our earlier post about this mandate. Despite this, some intermediate providers are not requiring their upstreams to properly sign their calls (or insisting on a thorough explanation of why they are sending calls unsigned). So the intermediate is signing calls – either on behalf of their upstream service provider customers, or because they are anticipating regulations that will mandate signing of otherwise-unsigned calls.

We’ve observed several intermediate providers – including some of the biggest – that are signing calls with B-level attestation when the rules dictate that C is correct.

Let’s look at two references:

The FCC’s First Report and Order (FCC-20-42A1) says at paragraph 8:

The STIR/SHAKEN framework relies on the originating voice service provider attesting to the subscriber’s identity. The SHAKEN specification allows an originating voice service provider to provide different “levels” of attestation. Specifically, the voice service provider can indicate that (i) it can confirm the identity of the subscriber making the call, and that the subscriber is using its associated telephone number (“full” or “A” attestation); (ii) it can confirm the identity of the subscriber but not the telephone number (“partial” or “B” attestation); or merely that (iii) it is the point of entry to the IP network for a call that originated elsewhere, such as a call that originated abroad or on a domestic network that is not STIR/SHAKEN-enabled (“gateway” or “C” attestation).

Key is the reference to SUBSCRIBER. This is the end-user (NOT a service provider) that initiated the call. If you, the provider signing the call, do not know the IDENTITY OF THE SUBSCRIBER, you cannot sign with B- (or A-) level attestation. C is the correct attestation.

ATIS published A Framework For SHAKEN Attestation and Origination Identifier (ATIS-1000088) that also spells it out on page 5:

A. Full Attestation: The signing provider shall satisfy all of the following conditions:

  • Is responsible for the origination of the call onto the IP-based service provider voice network.
  • Has a direct authenticated relationship with the customer and can identify the customer.
  • Has established a verified association with the telephone number used for the call.

B. Partial Attestation: The signing provider shall satisfy all of the following conditions:

  • Is responsible for the origination of the call onto the IP-based service provider voice network.
  • Has a direct authenticated relationship with the customer and can identify the customer.
  • Has NOT established a verified association with the telephone number being used for the call.

C. Gateway Attestation: The signing provider shall satisfy all of the following conditions:

  • Has no relationship with the initiator of the call (e.g., international gateways).

Consistent with the FCC, ATIS explains that A and B are reserved for the provider ORIGINATING the call. C is used when the signer has no relationship with the initiator (subscriber) of the call.

Inflating the attestation level from C to B is not compliant with these FCC and ATIS mandates. It could subject the signer to additional liability as it can indicate that the signer is the ORIGINATING PROVIDER, a role that carries specific responsibilities.

The Call Authentication Framework has the best chances of success when everybody plays by the rules.

Comments (0)

Leave a Reply