No reason to deny TSPs access to secure telephony identity certificates: CRTC

The CRTC has determined that, unless a telecommunications service provider (TSP) cannot be trusted to maintain the integrity of the anti-call-spoofing protocol known as STIR/SHAKEN, there is no reason to deny TSPs, that do not have direct access to numbering resources, access to secure telephony identity (STI) certificates. Thursday, the commission released its decision regarding Mitel Networks Corp.’s request that it instruct the Canadian Secure Token Governance Authority (CST-GA) -- the agency in charge of implementing STIR/SHAKEN -- to allow all resellers to participate in the framework. Originally, CST-GA, determined that only those providers that obtain telephone numbers directly from the numbering authority can participate, which would have excluded carriers like Mitel that obtain numbers from facilities-based carriers and resell them. Mitel’s main argument, in its December Part 1 application, was that the CRTC directed all TSPs to implement STIR/SHAKEN, however, the CST-GA prevented non-eligible TSPs from complying with the order in an effective manner, or at all. Mitel argued that it would create a competitive disadvantage for some companies -- like those centred around voice over Internet Protocol (VoIP) services — because they would not be able to attest that calls originating from their services were fully authentic and not fraudulent. Rogers Communications Inc., Shaw Communications Inc. and BCE Inc. all opposed Mitel's request. The latter two suggested it be dismissed because Mitel’s concerns were premature or speculative, while Rogers argued local VoIP providers may improperly certify calls and create security risks. “With regards to the observation that spoofed calls originate primarily from VoIP services… it is not appropriate to judge the reliability or trustworthiness of a TSP based on the type of service or technology it provides,” the CRTC wrote in its decision. “No matter the origin of spoofed calls, the commission is of the opinion that any size or type of TSP could improperly certify calls. Furthermore, because spoofing is most common on IP voice networks, STIR/SHAKEN was developed to address that issue and in fact applies only to IP calls. The Commission notes that enabling all TSPs to authenticate calls with an STI certificate would make the caller’s TSP directly accountable for attestation.” Telus Corp. in its intervention said STIR/SHAKEN would work best if companies like Mitel were not required to obtain delegate certificates via other providers, because all TSPs must be accountable for their own certifications. “Alternative options for implementing STIR/SHAKEN without direct access to certificates may have important limitations; they are not yet available, and their costs are unknown,” the CRTC wrote in its analysis. “A policy that precludes an entire category of TSPs from direct access to STI certificates, based solely on the type of TSP, could result in a competitive advantage for those TSPs that do not have such access.” The commission also wrote in its analysis that CST-GA did not provide a justification for its access policy. The Internet Society’s Canada Chapter (ISCC) also supported Mitel, explaining in its intervention that under the framework there existed three tiers of “attestation” for a call’s authenticity: full, partial, and gateway attestation (A, B, and C). Therefore, calls originating from resellers would only have B and C level attestation, meaning “network-based call screening services will look at B and C level calls more suspiciously than A level calls, with the result that they may filter them more aggressively." The CRTC wrote in the analysis of its decision that “the ability to fully authenticate outgoing calls will become a competitive necessity when the treatment of authenticated calls, e.g., through display and filtering, is more advanced and widely available.” Under the CRTC's decision, the CST-GA now has 60 days to create, in collaboration with currently ineligible TSPs, eligibility requirements to the extent that they are necessary to maintain the integrity of the STIR/SHAKEN framework. The STIR/SHAKEN framework was initially meant to be deployed in September 2020, but was delayed until mid-2021. STIR stands for “secure telephony information revisited,” and SHAKEN stands for “signature-based handling of asserted information using tokens.” -- Reporting by Jenna Cocullo at jcocullo@thewirereport.ca and editing by Michael Lee-Murphy at mleemurphy@thewirereport.ca

No reason to deny TSPs access to secure telephony identity certificates: CRTC

News | 08/05/2021 2:10 pm EDT

To keep reading, get a free trial.

Already a Subscriber?

Related Stories

OPINION: Bulk MDU deals no longer a rare occurrence

News | 09/29/2023 6:20 pm EDT

Social media and podcast services must register with CRTC, not users, under new regime

News | 09/29/2023 5:48 pm EDT

Infrastructure investments could see cuts due to wholesale rates: Bibic, French

News | 09/28/2023 6:54 pm EDT

Reuse & Permissions

Inside The Wire Report

Information

Hill Times Publishing

Get in Touch With Us