Regular readers will know my thoughts about STIR/SHAKEN, the US combination of governance and technology standards that forces telcos in a few countries to attach digital signatures to calls. Trying to stop scam calls with STIR/SHAKEN has proven as effective as trying to stop a wildfire with a wet fart. This outcome was predicted in Commsrisk although advocates of STIR/SHAKEN still try to pretend their method has succeeded, despite all their optimistic predictions coming to nothing. There are so many things wrong with STIR/SHAKEN that it would be tedious to recount them all, but one of the most important deficiencies of STIR/SHAKEN is that it is described as a method to ‘authenticate’ the origin of calls in the complete absence of any authentication being demanded by anything written into the various standards that define STIR/SHAKEN.
Describing a STIR/SHAKEN signature as a form of authentication is like saying a forger can authenticate a painting by applying Picasso’s name to the bottom-right corner. The application of paint to a canvas does not make the painting authentic. The application of a STIR/SHAKEN signature to a call does not make the call authentic. This egregious flaw should have been obvious to everybody from the outset. The existence of the flaw was made indisputable by the US Federal Communications Commission (FCC) needing to punish a telco that applied the highest grade of STIR/SHAKEN signature to spoofed and deepfaked phone calls that intentionally misled voters. It is of some interest that one of the architects of STIR/SHAKEN is now addressing this fundamental flaw.
The significance of the fix is huge, though it is my experience that when people fix a massive screw-up they do not like to draw attention to the fix because it also draws attention to the massive screw-up. They prefer instead to present the fix like it was a natural progression of their past success. Enter Chris Wendt, formerly of Comcast and now of Somos. Wendt was one of the co-authors of STIR/SHAKEN, and he is now the co-author of a draft Internet Engineering Task Force standard called VESPER. The draft standard for VESPER begins:
This document extends the STIR architecture by defining a secure telephone identity token and PASSporT with a type of “vesper” and specifies the use of Selective Disclosure JWT (SD-JWT) for representing persona related claim information intended to be associated with verifiable information such as the assignment of a telephone number or the output of a Know Your Customer (KYC) or Know Your Business (KYB) type of vetting process or Rich Call Data (RCD) or claims of consent provided to the telephone number holder.
For those who do not speak techno-ese, the draft is proposing the creation of a web token, encoded so that holders of a key can extract information including a third party auditor’s determination that the entity claiming to originate the communication really is who they say they are. In other words, it wants to do something new that STIR/SHAKEN should have done from the outset. The need for this development is made plain within the draft standard.
Recently, the illegitimate use of telephone numbers by unauthorized parties and the associated fraudulent activity associated with those communications has generally eroded trust in communications systems. Further, basic reliance on the trust of the signer alone to at the time of the communications without (sic) has proven to require time and people consuming work to perform after-the-fact investigation and enforcement activities.
In other words, people who attach STIR/SHAKEN signatures to calls do not always tell the truth. Discovering that some people who run businesses are liars ‘has proven’ to be a fundamental flaw with STIR/SHAKEN. It needs rectification by enabling authentication to occur before the application of the technology that claims to show something is authenticated, instead of trying to play catch-up with the liars afterwards.
Other industries, like the financial industry, have adopted well-known successful practices of Know Your Customer (KYC) or Know Your Business (KYB), otherwise referred to as the application of vetting practices of an entity.
Regular readers will already see where this is going. Some people who know some stuff about internet technologies persuaded a US government agency to implement a way of signaling that a call had been authenticated before anybody had bothered to stipulate what telcos should be doing to check that the entity making the call is trustworthy. Years earlier, a group of people who know about banking worked out how to check and uniquely identify every business that provides financial services. The banking people were not internet people, so they worked out how to authenticate an entity before they started thinking about how to use the internet to remotely signal the fact that an entity has been authenticated. Two completely different evolutionary branches have independently been progressing towards a common design to address a common challenge. That design, in outline, is:
- Give third-party auditors a framework so they can independently verify that an organization is the organization that it says it is.
- Translate the decision of the third-party auditor into cryptographically secure data that can be understood by anybody who has access to it and who wants to verify the identity of the organization they are transacting with.
- Make timely access to that data available through the internet.
Telcos employ more technologists than experts in preventing corruption, and so they neglected the first step in this three-step design, leaving a void that undermined the remainder of their plan. This void has been somewhat filled with ill-considered panic-measures, such as the US Robocall Mitigation Database (RMD). The lack of thought given to the crucial first step in this design has encouraged many naive folks to believe the eventual solution will involve somebody in government knowing who everybody is. Or worse, they expect one business to be paid by government to maintain a database of who everybody is. Readers of Commsrisk will be wise enough to appreciate why neither government, nor a government-backed monopoly, is the answer. A multiplicity of auditors exist in other domains, such as the auditing of financial accounts, because auditors also need the pressure of competition to discourage them from sliding into complacency and corruption.
It would be unfair to expect a technologist to be familiar with topics that fall well outside of their domain, such as the history of corporate governance. But that is also why big problems need to be tackled using a multi-disciplinary approach at the design stage, rather than trusting technologists to devise answers, only to then watch them learn from expensive forms of trial-and-error. Perhaps some communications businesses are now being drawn into this multi-disciplinary approach, whether they welcome what is happening or not.
Technologists may not change that much — technological specialization requires a high degree of focus — but they might find themselves working for new people with different perspectives. I currently do not think much of the old telco cliques that have only recently discovered that fraud afflicts phone users as well as phone companies. They should be ashamed of themselves for being so inward-looking for so long, with the result that the comms sector is riven with crime, to the detriment of the rest of society. However, not everybody in business is narrow. I expect Chris Wendt’s bosses at Somos are very conscious of ‘other industries, like the financial industry’, and the potential to make money by eliminating some kinds of losses those industries currently endure. Smart businesses that know about networks will have two big eyes on the prize that comes with the prevention of financial scams.



