- What is SHAKEN?
SHAKEN (Signature-based Handling of Asserted information using toKENs) is a specification framework designed to mitigate illegal robocalls by reducing the impact of illegal Caller ID spoofing. It combines a trusted Caller ID authentication process along with the introduction of an automated traceback capability. Together, they will be used to verify the accuracy of the calling number information in order to help identify and stop the illegal calls and spoofing.
- What is the role of the Governance Authority?
The Secure Telephone Identity Governance Authority (STI-GA), which operates under the auspices of ATIS, plays a critical role in helping the industry mitigate the problem of illegal robocalling. Working with the IETF's STIR (Secure Telephone Identity Revisited) protocol, the joint ATIS/SIP Forum Signature-based Handling of Asserted information using toKENs (SHAKEN) specification offers a practical mechanism for authenticating calls. Verifying the right of the calling party to use the telephone number displayed by attaching a "digital signature" will help restore consumer confidence, increasing trust in the caller ID. ATIS is managing the STI-GA, defining the rules governing the certificate management infrastructure to ensure effective use and security of SHAKEN certificates.
- What is the role of the Policy Administrator?
iconectiv has been selected by the Secure Telephone Identity Governance Authority (STI-GA) to serve as policy administrator. In this role, iconectiv will be applying and enforcing the rules defined for the SHAKEN framework. These rules specify a practical mechanism for service providers to authenticate calls and let consumers know that the telephone number displayed on the caller ID is authenticated. As the policy administrator, iconectiv will confirm which service providers are authorized to request certificates, validate which ones are revoked and review and approve Certification Authorities to issue them.
- How does this work?
As policy administrator, iconectiv works with the Service Providers, and STI-Certification Authorities (CAs) to verify, confirm, manage and support the issuance of digital certificates for use in the SHAKEN framework. Specifically, iconectiv manages an active, secure list of approved Certification Authorities that is available to service providers via a REST interface query. The SHAKEN Secure Telephone Identity Verification Service (STI-VS) can then use this list to validate a call was signed by a Service Provider using a STI certificate from an approved Certification Authority. iconectiv will also be maintaining Service Provider Code tokens, which represent the credentials and validation of service providers. Service Providers will then use this token when requesting issuance of STI certificates from an approved Certification Authority.
- What is the SHAKEN Certification Policy?
This Certificate Policy (CP) includes the practices and policies that Certification Authorities must follow in order to be approved by the policy administrator to serve as a trusted Certification Authority in the United States. You can review the full policy on the Documents page.
- What is the Policy Management Authority?
The Policy Management Authority (PMA) is responsible for ensuring timely review of the submitted Certificate Practice Statements and for notifying the Policy Administrator when a new Certification Authority has been approved. The PMA is comprised of industry stakeholders, including members of the Secure Telephone Identity Governance Authority Technical Committee.
- When did the SHAKEN framework be operational?
This became operational in December 2019.
- Are there any webinars available to better understand SHAKEN/STIR?
Yes, ATIS has several webinars available including “The SHAKEN Governance Model: Setting Robocall Mitigation Protocols into Action in the Networks,” and “SHAKEN 101: Mitigating Illegal Robocalling and Caller ID Scams” both of which can be viewed here.
- How do I apply for a Service Provider token?
It is recommended that you first read the Service Provider or RespOrg Guidelines. You can then fill out the Registration Form on the Providers Get Started page. Once that is received and processed, an account will be created. You will then be requested to submit a signed User Agreement along with your billing information. Once approved, you service providers can access the token via a REST interface query.
- Is there a list of authorized Service Providers and RespOrgs?
Yes, you can view the current list of authorized Service Providers and RespOrgs here.
- What is a RespOrg?
In the North American Numbering Plan, a RespOrg (Responsible Organization) is a company that maintains the registration for toll-free telephone numbers in the SMS/800 database. RespOrgs were established in 1993 as part of a Federal Communications Commission order instituting toll-free number portability. A RespOrg can be a service provider, reseller, or end user that directly controls its own toll-free numbers.
- How do I apply to be a Certification Authority?
It is recommended that you first read the Certification Authority Guidelines. You can then fill out the Registration Form on the Certification Authority page. Once that is received and processed, submit a Certificate Practice Statement for review and approval by the Policy Management Authority (PMA). Once approved, you will be requested to submit a signed User Agreement along with your Root Certificate and billing information.
- What is a Certificate Practice Statement?
A Certificate Practice Statement must be submitted by any company interested in becoming a Certification Authority. It includes information on the practices that a certification authority will employ in issuing, managing, revoking, and renewing or re-keying certificates.
- What does it stand for?
Some guidance on commonly used acronyms:
- ATIS: Alliance for Telecommunications Industry Solutions
- CA: Certification Authority
- CP: Certificate Policy
- CPS: Certificate Practice Statement
- IETF: Internet Engineering Task Force
- PMA: Policy Management Authority
- SHAKEN: Signature-based Handling of Asserted Information using toKENs
- SIP: Session Initiation Protocol
- STI-CA: Secure Telephone Identity Certification Authority (often shortened to CA)
- STI-GA: Secure Telephone Identity Governance Authority
- STI-VS: Secure Telephone Identity Verification Service
- STIR: Secure Telephone Identity Revisited
- Is there a list of Root Certificates?
The Root Certificate list is available here.