[cabfpub] Creating an open CA regime for telephone number "possession"

Tony Rutkowski tony at yaanatech.com
Fri Dec 8 18:58:37 UTC 2017


Hi Kirk,

Many of you are likely peripherally aware of
ongoing efforts in the FCC to mitigate
robocalls and telephone number spoofing.
Perhaps less known are the methods being
contemplated to do this.  One that has been
prominent is a PKI certificate regime for
attesting to "possession of a telephone
number" that will be used for telephony
and messaging traffic exchange.

Although the problems here are global, the
work has largely ensued within the U.S. telco
industry Washington DC based body known
as ATIS - working with an IETF committed
known as "stir" and the SIP Forum.

In a letter just distributed on one of the
related lists, the chair of the North
American Numbering Council gives notice of a
process for selecting a "governing authority"
and administrator for telephone number
related certificates.

It is worth pointing out that none of the
parties involved in this process have any
experience with the use and management of PKI
certs, and that the entire process seems
tantamount to granting a closed monopoly CA
regime under a government mandate.
(Ironically, ATIS own website has had a
SSL Labs rating of F, that after notice a few
days ago, was improved to C.  See
https://www.ssllabs.com/ssltest/analyze.html?d=www.atis.org)

Furthermore, although the ITU-T E.164
telephone numbers here exist under an
international standard, and the spoofed call
challenges are inherently global, the work is
ensuing entirely in a U.S. domestic context.

This is a stark contrast to the CA/B Forum
and its members - who arguably should
constitute this Governing Authority.  Indeed,
from a policy perspective, one might ask why
there is only one Governing Authority being
created as a monopoly, and why they are not
using evCERTs and supporting specifications.

I have provided here all the relevant current
documents, including the letter dated
yesterday on the Governing Authority matter.
Also especially relevant is IPNNI-2017-00125R000,
"Technical Report on Operational and Management
Considerations for SHAKEN STI Certification
Authorities."

The Forum as well as its individual members
might wish to intervene here.  At issue are not
only an available potentially global marketplace
for telephone number related CAs, but also the
performance and resilience of anti-spoofing
capabilities, and the ability for IP telephone
service vendors to effectively exchange their
customer telephone and messaging traffic.

best,

tony


-------------- next part --------------
A non-text attachment was scrubbed...
Name: FCC NANC 12-7-2017 Letters.pdf
Type: application/pdf
Size: 234415 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171208/0f83344f/attachment-0003.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IPNNI-2017-00127R000.pptx
Type: application/vnd.openxmlformats-officedocument.presentationml.presentation
Size: 92713 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171208/0f83344f/attachment-0003.pptx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IPNNI-2017-00126R000.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 352335 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171208/0f83344f/attachment-0006.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IPNNI-2017-00120R001.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 310574 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171208/0f83344f/attachment-0007.docx>


More information about the Public mailing list