SHAKEN (Signature-based Handling of Asserted information using toKENs) is a specification framework designed to mitigate illegal robocalls by reducing the impact of illegal Caller ID spoofing. It combines a trusted Caller ID authentication process along with the introduction of an automated traceback capability. Together, they will be used to verify the accuracy of the calling number information in order to help identify and stop the illegal calls and spoofing.
The Secure Telephone Identity Governance Authority (STI-GA), which operates under the auspices of ATIS, plays a critical role in helping the industry mitigate the problem of illegal robocalling. Working with the IETF's STIR (Secure Telephone Identity Revisited) protocol, the joint ATIS/SIP Forum Signature-based Handling of Asserted information using toKENs (SHAKEN) specification offers a practical mechanism for authenticating calls. Verifying the right of the calling party to use the telephone number displayed by attaching a "digital signature" will help restore consumer confidence, increasing trust in the caller ID. ATIS is managing the STI-GA, defining the rules governing the certificate management infrastructure to ensure effective use and security of SHAKEN certificates.
iconectiv has been selected by the Secure Telephone Identity Governance Authority (STI-GA) to serve as policy administrator. In this role, iconectiv will be applying and enforcing the rules defined for the SHAKEN framework. These rules specify a practical mechanism for service providers to authenticate calls and let consumers know that the telephone number displayed on the caller ID is authenticated. As the policy administrator, iconectiv will confirm which service providers are authorized to request certificates, validate which ones are revoked and review and approve Certification Authorities to issue them
As policy administrator, iconectiv works with the Service Providers, and STI-Certification Authorities (CAs) to verify, confirm, manage and support the issuance of digital certificates for use in the SHAKEN framework. Specifically, iconectiv manages an active, secure list of approved Certification Authorities that is available to service providers via a REST interface query. The SHAKEN Secure Telephone Identity Verification Service (STI-VS) can then use this list to validate a call was signed by a Service Provider using a STI certificate from an approved Certification Authority. iconectiv will also be maintaining Service Provider Code tokens, which represent the credentials and validation of service providers. Service Providers will then use this token when requesting issuance of STI certificates from an approved Certification Authority.
This Certificate Policy (CP) includes the practices and policies that Certification Authorities must follow in order to be approved by the policy administrator to serve as a trusted Certification Authority in the United States. You can review the full policy on the Documents page.
The Policy Management Authority (PMA) is responsible for ensuring timely review of the submitted Certificate Practice Statements and for notifying the Policy Administrator when a new Certification Authority has been approved. The PMA is comprised of industry stakeholders, including members of the Secure Telephone Identity Governance Authority Technical Committee.
It is expected that this framework will be operational by the end of 2019.
The Support Team can be reached Monday through Friday from 8:00 a.m. to 6:00 p.m. ET at 1-800-458-4826 or by emailing firstname.lastname@example.org.
Yes, ATIS has several webinars available including “The SHAKEN Governance Model: Setting Robocall Mitigation Protocols into Action in the Networks,” and “SHAKEN 101: Mitigating Illegal Robocalling and Caller ID Scams” both of which can be viewed here.
It is recommended that you first read the Service Provider Guidelines. You can then fill out the Registration Form on the Service Provider Get Started page. Once that is received and processed, an account will be created. You will then be requested to submit a signed User Agreement along with your billing information. Once approved, you service providers can access the token via a REST interface query.
Yes, you can view the current list of Authorized Service Providers here.
It is recommended that you first read the Certification Authority Guidelines. You can then fill out the Registration Form on the Certification Authority page. Once that is received and processed, submit a Certificate Practice Statement for review and approval by the Policy Management Authority (PMA). Once approved, you will be requested to submit a signed User Agreement along with your Root Certificate and billing information.
A Certificate Practice Statement must be submitted by any company interested in becoming a Certification Authority. It includes information on the practices that a certification authority will employ in issuing, managing, revoking, and renewing or re-keying certificates.
Some guidance on commonly used acronyms:
- ATIS: Alliance for Telecommunications Industry Solutions
- CA: Certification Authority
- CP: Certificate Policy
- CPS: Certificate Practice Statement
- IETF: Internet Engineering Task Force
- PMA: Policy Management Authority
- SHAKEN: Signature-based Handling of Asserted Information using toKENs
- SIP: Session Initiation Protocol
- STI-CA: Secure Telephone Identity Certification Authority (often shortened to CA)
- STI-GA: Secure Telephone Identity Governance Authority
- STI-VS: Secure Telephone Identity Verification Service
- STIR: Secure Telephone Identity Revisited