What is Attestation?
The term “attestation” in reference to STIR/SHAKEN refers to the level of certainty (defined in levels A, B, or C) the service provider has regarding the ownership or authorized use of the number being displayed in conjunction with the business’s identity.
When a STIR/SHAKEN call certificate is received, it will include a call’s Attestation Level, as signed by the originating service provider. This establishes the relationship with the caller and their right to use the calling number.
There are 3 Levels of Attestation:
- Full or Attestation “A”: the service provider knows the call source/identity of the caller and has the right to use that number. Example: The carrier issued the number for a customer, so the call originated in their network.
- Partial or Attestation “B”: The service provider knows the customer but not the source of the phone number.Example: When third-party call centers originate a call, the service provider may not know if they have the right to use that number.
- Gateway or Attestation “C”: The service provider places the call into their network but does not know who the originator of the call is. Example: If a call originates from outside of the country and is coming through an international gateway.
How does attestation level translate to a call’s trustworthiness?
The level of Attestation is not a direct correlation to the trustworthiness of the call.
Analytics will still be in place for call validation treatment to ensure that unwanted, scam or illegal calls will still be labeled accordingly. Attestation works to help establish the authenticity and identity of inbound callers but is not a substitution for call analytics solutions for call authentication.
What is the Enterprise Challenge?
One critical thing that goes on the STIR/SHAKEN certificate is the Attestation Level (A, B, or C). The gap occurs in complex scenarios like when a call center or BPO is making calls on behalf of multiple clients or where in some cases, there could be two or three parties involved in the call path. The end client could be someone who is not making the call but has outsourced the call to another call center that could use a different platform or CPaaS provider. In these scenarios, enterprises or service providers may be unable to validate the source or right to use the number to get their calls signed, known as the Attestation Gap.
Will A-Level Attestation guarantee that my calls will not be marked as ‘Spam’?
A-Level Attestation comes in through the SIP network and terminates at the device. A-Level Attestation is one of many data points terminating providers consider when displaying a call.
Another data point taken into consideration comes at the analytics level, which is a separate layer outside STIR/SHAKEN Attestation and influences call display on mobile devices. These external analytics assess your phone number's reputation outside of the STIR/SHAKEN framework, which is where ‘Spam’ or ‘Scam’ labeling comes from.
A-Level Attestation does not necessarily influence the presentation of Spam or Scam labeling as the technologies are not currently integrated.
Can anyone guarantee an A-Level Attestation?
An originating service provider could guarantee A-Level if they have a direct relationship with you as their client and have issued the numbers to you.
In any other situation, to facilitate A-Level Attestation, the originating service provider (OSP) needs a process to validate the enterprise in question’s identity and validate that the phone numbers being used belong to that identity from whoever procured those numbers (if outside of the OSP).
Can less than A-Level Attestation be remediated or appealed or corrected?
It is unclear what the remediation process will be for calls signed with levels B or C. It will require a feedback loop to be put into place and techniques that still need to be defined based on the standards.
Is there a ‘Registry’ or ‘Database’ for callers to get A-Level Attestation?
What is that, is it real, and is Numeracle a part of it?
Multiple models are currently being discussed to address Attestation and the Attestation Gap (Enterprise Challenge).
One proposed model is the centralized registry or database model, similar to a traditional CNAM database. This repository will store all the information related to numbers, including who owns the number, who has access to the number, or who is making calls on someone else’s behalf.
Having this database would allow for retrieving any of this information. However, this is just one of the proposed models by the Standards Group. There are still questions about how this data is updated, who has access to it, who controls that access, or what happens if the database gets compromised.
From the carrier perspective, how does Numeracle act as a Local Policy solution for the service provider looking to ensure its clients’ calls can be signed as A-Level Attestation, whether or not the service provider provisioned the phone numbers?
This can be validated through Numeracle’s ‘Number Profile’ item within our Entity Identity ManagementTM platform. When a service provider needs to validate ownership of phone numbers provisioned outside the service provider, a request is sent to the entity to complete an LOA (Letter of Authorization) via a digital process, confirming the entity’s authorization for authorization use of the phone number. That LOA is then used to form the baseline of truth for A-Attestation based on this authorized use of the phone number.
What happens when a call originator makes a call through a carrier with a number they acquired from another different carrier in regards to A) the level of attestation they can get? And B) if they do get a B level versus an A level, how will that impact what subscribers experience on the terminating side when called?
- It depends on the carrier that is being used to originate the call. It comes back to the local policy they implemented and how they are treating that enterprise and that number. If the carrier believes they already know the customer/client/call originator and have a robust Know Your Customer (KYC) policy in place, it could theoretically be attested with A. However, a different carrier can take a different approach and always attest calls as B if the number was not acquired from them.
- If it receives a B-level Attestation, thus far, we have not seen any difference between how the terminating carrier treats a B and A-Level as far as the presentation to the subscriber. As implementation continues, different visual displays such as a verification check may be used for only A-Level Attested calls.
Is there a way to test? How is it working so far?
Numeracle has clients using a provider that has implemented Base STIR/SHAKEN. We had them call our number to see how those calls were displayed, keeping in mind that our number is on one of the three major carriers. We found that the calls came through with the same display and appeared the same as calls from callers without authentication. This may be because the calls were given less than A-level attestation, or there may have been analytics, and local policy choices of Numeracle's service provider, which prevented Call Validation Treatment with "Verified" messaging and/or a green check mark displayed.
It also depends on the terminating service provider and how they accept call signatures. Call validation treatment and analytics will continue to play a role in the solution, and they are still on the network. How the actual call gets displayed on the device is based on how the terminating service provider does the CVT.
Attested calls currently do not show an attestation level, but we expect this will change over time as more begin implementing the standards.