Nathan:
Thanks for sharing your thinking and a specific example.
I can't
speak for the FCC or the ITG (obviously) and they probably won't
weigh
in here. But, as Mary has done, I can share what I hope is a
reasonably
accurate perspective.
I hope, Nathan, that the key is your
statement: "But sans any violations to
look into...how would they
know?" And, I would add, why would they care? If
the group you
describe isn't a bunch of trouble-makers, then surely there
are other
fish to fry when it comes to compliance issues. Let's put our
focus
on the ones that are actually wreaking havoc.
I hadn't heard of
Atheral before, but I see that they have a SHAKEN token
per
iconectiv, so they can sign calls. They list several customers on their
web
page; I spot checked those and the ones I searched do NOT have tokens
but
ARE registered in the Robocall Mitigation Database. I did see that a
couple
of them had very nicely written Robocall Mitigation Plans (Zirkel,
for
example, with Vistabeam in second place) that explained exactly how
they
work with Atheral in terms of getting calls signed.
We
could debate (and in fact, we are debating at the FCC) whether, for
example,
it's OK for Atheral to sign calls with Atheral's token on behalf of
Zirkel.
We might argue that Zirkel is the one with the direct authenticated
relationship
with their customer, so it should be a Zirkel signature on
those
calls. Or you can make a semantic argument that Atheral is the
"Originating
Voice Service Provider" and that it is through their agent
Zirkel
that they have the customer relationship. Zirkel explains how they
validate
the phone numbers that their customers use, and pass that
information
on to Atheral for proper attestation. It all appears to be on
the
up-and-up.
Atheral has to understand that by putting the Atheral
signature on calls
coming via Zirkel and others, Atheral is putting
its own reputation on the
line. So Atheral is presumably motivated to
ensure everybody plays nice,
which they probably do at least in part
via their contractual agreements.
To my knowledge, the ITG does
not "block traffic" or enforce rules about
tokens. The ITG is in the
business of traceback, and it makes the
information it gathers
through that process available, selectively, to
others that can then
act on it. That includes not just government enforcers
but, for
example, others in the call chain. If a particular provider is
involved
in a traceback, they get visibility to whether their upstream is
responding
to that traceback. If not, or if that upstream failed to sign a
call
when they should have, then the downstream provider can initiate action
on
its own with respect to that upstream.
Back to Atheral -- our
RRAPTOR robocall surveillance platform has never
captured a
problematic call with an Atheral signature. That doesn't mean we
know
for certain that no "bad" robocalls flow via Atheral, but it's probably
safe
to say that at the moment, Atheral and its customers aren't a cause of
great
concern.
Lastly, thanks Nathan for the nice words about our test
tool.
David Frankel
ZipDXR LLC
St. George, UT USA
-----Original
Message-----
From: VoiceOps
<voiceops-boun...@voiceops.org> On
Behalf Of Nathan Anderson
via VoiceOps
Sent: Wednesday, July 12,
2023 4:21 PM
To: 'Voice Ops'
<voiceops@voiceops.org>Subject:
Re: [VoiceOps] Update on STIR/SHAKEN
Personally, I'm quite
curious to know how the ITG would even be identifying
these companies
as being distinct from the wholesaler, at least without a
traceback
request for an actual violation, where the investigation (that the
wholesaler
would likely be not only cooperative with but actively involved
in)
eventually revealed that all of the violations were originating from one
particular
customer of theirs. But sans any violations to look into...how
would
they know?
In particular, when asking these questions, what I
specifically have in mind
are wholesalers not like VI/Sangoma et al.,
but more like e.g.
https://atheral.com/, which carries traffic for a
bunch of smaller regional
ISPs that want to offer VoIP but don't
want any of the headaches associated
with doing so. So most of them I
presume literally own no infrastructure of
their own...no
softswitch, no SBC, no nothing. They might be 499 filers,
but that's
likely the extent of their direct regulatory involvement.
I
believe Daniel might be hanging around on this list, so perhaps he can
shed
some light on how they have been advised to approach this (whether they
are
signing all calls with their own SHAKEN cert/key, or whether they can
host
SHAKEN certs owned by their customers and sign the end-users of that
customer's
calls with that customer's own cert, or a mix of both).
--
Nathan
-----Original Message-----
From: VoiceOps
[
mailto:voiceops-boun...@voiceops.org] On Behalf Of Mary Lou
Carey
via VoiceOps
Sent: Wednesday, July 12, 2023 1:29 PM
To:
voiceops@voiceops.orgSubject: [VoiceOps] Update on STIR/SHAKEN
I
spoke with my FCC contact today and was told to read the last order
issued
in March so his response wasn't crystal clear. He said the FCC
is still in
the process of deciding which types of companies can
sign with a third-party
vendor's token and which ones can't.
I
told him my concern is that the ITG is going to start blocking traffic
in
August and companies won't know that they aren't compliant because
their
wholesale provider told them they were fine. I specifically
asked, "If the
ITG decides a company should have had its own token,
will you give them time
to get one?" He said they have a process for
handling these issues, but he
didn't come out and say "Yes" so here's
what I would suggest since the
process can sometimes take longer
than the 30 days they give you to comply.
If you are using a
third-party provider whose signing with their token.
At least
complete the preliminary steps to qualify for your own STIR/SHAKEN
token.
That way if they do come to you and tell you that you need to get it
on
a moment's notice, you won't be fighting the clock so much. The
pre-requisites
for filing with the STI-PA to become an approved carrier are:
1.
Order your own OCN (aka company code from NECA) IPES is the correct
type
for all VOIP carriers 2. Have your 499 up to date and fees paid.
If you've
never filed a 499A yet, get your 499 filer ID and submit
your first 499-A.
(All carriers delivering long-distance traffic in
the US should have already
completed this step anyways).
3.
Robocall Mitigation Plan filed.
There are multiple companies
helping carriers get their STIR/SHAKEN
certificate, so it doesn't
matter if you use my services or anyone else's. I
just want to make
sure everyone is aware of what they need to do to make
sure their
traffic doesn't get blocked because thats a lot harder to fix
than
getting a certificate/token is!
MARY LOU CAREY
BackUP Telecom
Consulting
Office: 615-791-9969
Cell: 615-796-1111
_______________________________________________
VoiceOps
mailing list
VoiceOps@voiceops.orghttps://puck.nether.net/mailman/listinfo/voiceops_______________________________________________
VoiceOps
mailing list
VoiceOps@voiceops.orghttps://puck.nether.net/mailman/listinfo/voiceops_______________________________________________
VoiceOps
mailing list
VoiceOps@voiceops.orghttps://puck.nether.net/mailman/listinfo/voiceops