What is Attestation?
When a STIR/SHAKEN call certificate is received, it will include a call’s Attestation Level, as signed by the originating service provider. This establishes the relationship with the caller and their right to use the calling number.
There are 3 Levels of Attestation:
- Full or Attestation “A”: the service provider knows the call source or identity of the caller as well as has the right to use that number. Example: The carrier issued the number for a customer so the call originated in their network.
- Partial or Attestation “B”: The service provider knows the customer, but not the source of the phone number. Example: When third-party call centers are originating the call, the service provider may not know if they have the right to use that number.
- Gateway or Attestation “C”: The service provider places the call into their network, but does not know who the originator of the call is. Example: If a call originates from outside of the country and is coming through an international gateway.
How does this translate to a call’s trustworthiness?
The level of Attestation is not a direct correlation to the trustworthiness of the call. Analytics will still be in place for call validation treatment to ensure that unwanted, scam, or illegal calls will still be labeled accordingly.
Attestation works to help establish the authenticity and identity of inbound callers but is not a substitution for call authentication solutions.
What is the Enterprise Challenge?
One of the key things that goes on the STIR/SHAKEN certificate is the Attestation Level (A, B, or C). The gap occurs in complex scenarios where a call center of BPO is making calls on behalf of multiple clients, or where in some cases there could be two or three parties involved during a call path. The end client could be someone who is not even making the call but has outsourced the call to another call center that could be using a different platform or CPaaS provider. In these scenarios, enterprises or service providers may not be able to validate and get their calls signed, which is the Attestation Gap.
Can anyone guarantee A-Level Attestation?
An originating service provider can if they have a direct relationship with you, as their client and have issued the numbers to you. In any other situation, in order to facilitate A-Level Attestation, the OSP needs to have a process to have validated the enterprise in question’s identity and validate that the phone numbers being used belong to that identity, from wherever those numbers were procured from (if outside of the OSP).
Is there a way to test? How is it working so far?
Numeracle has a client currently using a wide provider that has implemented the BASE STIR/SHAKEN and we had them call our number to see how those calls were displayed, keeping in mind that our number is on one of the three major carriers. What we found was the calls came through as we would make any other calls without attestation.
It also depends on the terminating service provider and how they’re accepting certificates. Call validation treatment and analytics will continue to play a role in the solution and they are still on the network. How the actual call gets displayed on the device is based on how the CVT is done by the terminating service provider.
Attested calls currently do not show an attestation level, but we expect this will change over a period of time as more begin to implement the standards.
Can less than A-Level Attestation be remediated or appealed or corrected?
At this point, it is unclear what the remediation process will be for calls that are signed with levels B or C. It will require a feedback loop to be put into place and processes that still need to be defined based on the Standards.
Is there a “Registry” or “Database” for callers to get A-Level Attestation?
What is that, is it real, and is Numeracle a part of it?
There are multiple models that are currently being discussed to address Attestation and the Attestation Gap. One of the proposed models is the centralized registry or database model which is similar to a traditional CNAM database. This repository will have all the information related to numbers stored, including who owns the number, who has access to the number, or who is making calls on someone else’s behalf.
Having this database would allow for the retrieval of any of this information, however, this is just one of the proposed models by the Standards Group. There are still questions around how this data is updated, who has access to it, and who controls that access, or what happens if the database gets compromised?
From the carrier perspective, how does Numeracle act as a Local Policy solution for the service provider looking to ensure its clients’ calls can be signed as A-Level Attestation, whether or not the phone numbers were provisioned by the service provider?
This can be validated through Numeracle’s ‘Number Profile’ item within its Entity Identity Management platform. When a service provider needs to validate ownership of phone numbers provisioned outside of the service provider, a request is sent to the entity to complete an LOA (Letter of Authorization) via a digital process, which confirms the entity’s authorization for use of the phone number. That LOA is then used to form the baseline of truth for A Attestation to take place based on this authorized use of the phone number.
What happens when a call originator makes a call through a carrier with a number they acquired from another different carrier in regards to:
A) the level of attestation they can get?
And B) if they do get a B level versus an A level, how will that impact what subscribers experience on the terminating side when called?
- It depends on the carrier that is being used to originate the call. It comes back to the local policy they implemented and how they are treating that Enterprise as well as that number. If the carrier believes they already know the customer/client/call originator and they have a good KYC policy in place, it could theoretically be attested with A. However a different carrier can take a different approach and always attest calls as B is the number wasn’t acquired from them.
- If it gets a B-level attestation, thus far we have not seen any difference between how the terminating carrier treats a B and A level as far as the presentation to the subscriber. As implementation continues, different visual displays such as a verification check may be used for only A-level attested calls.