Re: SITR/SHAKEN implementation in effect today (June 30 2021)

[Michael Thomas <mike () mtcc com>]

On 6/30/21 11:30 AM, Sean Donelan wrote:
> STIR/SHAKEN Broadly Implemented Starting Today
> https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today 
>
>
> WASHINGTON, June 30, 2021—FCC Acting Chairwoman Jessica Rosenworcel today
> announced that the largest voice service providers are now using 
> STIR/SHAKEN caller ID authentication standards in their IP networks, 
> in accordance with the deadline set by the FCC. This widespread 
> implementation helps protect consumers against malicious spoofed 
> robocalls and helps law enforcement track bad actors. The STIR/SHAKEN 
> standards serve as a common digital language used by phone networks, 
> allowing valid information to pass from provider to provider which, 
> among other things, informs blocking tools of possible suspicious calls.


Just because you can know (fsvo "know") that a call is allowed to assert 
a number doesn't change anything unless other actions are taken. With 
DKIM which is far simpler than STIR it would require reputation systems 
that don't seem to have been deployed, submission auth which thankfully 
was deployed, policy enforcement (ie ADSP) which is not deployed, and 
user indicators which are sporadically deployed.

Given the giant security holes caused by solving the wrong problem (ie 
trying to authenticate the e.164 address rather than the originating 
domain) it's just going to push spammers to exploit those holes. It's 
very much to be seen whether victory can be declared, IMO.

Mike