Trusted Communications: Authenticating Calls with Delegate Certificates, On-Demand Nov 5th
CommTech Brief subscribers receive session directly, on November 5th. Sign up for Daily CommTech Brief here.
People simply do not answer the telephone anymore unless they unequivocally know who is calling. That is hurting legitimate businesses that rely on voice calls to reach their customers. The industry continues to advance the objective to restore consumer faith and confidence in answering our telephones. Central to achieving that objective is the ability to verify that the information of the calling party has been authenticated. That seems simple enough but considering that many businesses use more than one phone company and that some companies allow others to manage their phone service, it is more complicated than it appears. This Telco session will answer how a new policy change is helping simplify that by allowing delegate certificates to be used to authenticate calls and how the industry’s centralized Registered Caller database can be leveraged to accelerate the verification process.
Executive Speakers:
George Cray - Senior Vice President-Information Solution Products & Services, iconectiv
Pierce Gorman - Principal Engineer Systems Architecture, T-Mobile
Tom Sawanobori - CTO, CTIA
Full Transcription
Abe Nejad: People simply don't answer the telephone anymore, unless they unequivocally know who is calling. That is hurting legitimate businesses that rely on voice calls to reach their customers. The industry continues to advance the objective to restore consumer faith and confidence in answering our telephones. Central to achieving that objective is the ability to verify that the information of the calling party has been authenticated. That seems simple enough, but considering that many businesses use more than one phone company and that some companies allow others to manage their phone service, it's more complicated than it may appear. This telco session will answer how a new policy change is helping simplify that by allowing delegates certificates to be used to authenticate calls and how the industry's centralized registered caller database can be leveraged to accelerate the verification process. Joining this telco session are Pierce Gorman, he's principal engineer systems architecture at T-Mobile. We also have George Cray, he's senior vice president of products and services at Iconnective and last we have Tom Sawanobori he's chief technology officer at CTIA and gentlemen welcome.
Everyone: Thank you.
Abe Nejad: Well thanks for being here. George Cray, I hope you don't mind. I'm going to start with you. Let's sort of just lay the groundwork here. So what are delegates certificates and why did the STIGA extend the shaken framework to allow for the use of delegate certificates?
George: Sure. Well, to get started delegates certificates are used so that phone companies have a method to establish a business's right to use a phone number. So when a telephone company did not assign the number to a particular business, this becomes a challenge for that originating service provider. Extending the shaken framework to include delegates certificates will allow calling information from legitimate businesses to be presented as verified to the end recipient. The reason this matter is that the phone company that originates the call known as the originating service provider is the phone company that must attest all calls. So in order for that originating service provider to provide an attestation or fully attest the call through the network, they need to be certain both in who the caller is, and that caller's right to use the telephone number.
So this happens, this is a challenge for telephone companies because in many cases you have businesses that use call centers, who call on behalf of a business, or maybe a business has gotten the telephone number from another service provider different than the originating service provider. So that becomes a challenge for the originating service provider to actually fully attest the call. The other change that has taken place, it also extends to toll-free numbers within the shaken framework. So now legitimate outbound calls from toll-free numbers can receive and be presented to the caller as verified. It's envisioned that many responsible orgs or resp-orgs as they're called, will actually utilize delegates certificates in order to ensure the highest level of attestation for any calls using toll-free numbers.
Abe Nejad: Pierce, anything to add?
Pierce: I'll give you the technical view. What delegates certificates are, they're called X.509 version 3 certificates. And they're used to authenticate calls the call signaling and specifically they're expected to be used to authenticate information about the caller, their identity and the right to use the telephone number. And then the type of signature that will be used with them or expected to be used with them can provide additional information such as, authenticated name, but additionally, the reason for calling and even the company logo.
Abe Nejad: So Tom I'm going to go over to you. So what's the role of registered caller in the verification of calling party information, Tom?
Tom: Yes, a registered caller provides a way for legitimate enterprise companies in call centers to have their phone numbers vetted and verified in a centralized registry. That way the originating service provider knows that the call's legitimate enterprise caller can trust that they're calling [04:35 inaudible] information, the caller ID has been verified.
Abe Nejad: George, anything to add to that?
George: No, I think Tom pretty much nailed it. Registered caller is going to be a critical element for enterprises to ensure that they get fully attested when they're making outbound calls.
Abe Nejad: Thanks George. So back to you Tom, so really at a macro level, what is the benefit to an enterprise or call center to have their outbound calls authenticated, Tom?
Tom: Well, let me talk about it from the consumer perspective first. We're all consumers ourselves, and we all know that we're less likely to answer the phone if we're unsure who is calling. This impacts our lives, it could be somebody's calling that we want to hear from. It could be our doctor, a school, a certain business. Reports show that 71% of consumers have stopped answering their calls completely. And only 58% of us answer calls from recognize phone numbers. From the consumer perspective, that may seem like the safest approach, because there's reported 4 billion mobile calls a month, approximately half of which are illegal. When you ask people about this today, most people would say they just let it go to voicemail and they'll check the voicemail and then you can call the person back. That seems logical enough, but that's very inefficient. The telephone tag begins. You can delay getting certain key information and it's also frustrating. Sometimes you don't always contact the person who originally tried to call you
Abe Nejad: So George benefit to enterprises and call centers.
George: Well, yeah, as Tom teed up this is definitely quite a challenge for consumers, but enterprises find it very costly and communications play a critical role in keeping people connected, businesses running and commerce flowing. So the fact that consumers are less likely to answer their phone is really not new. This is a problem that enterprises have faced all along and now you have stir shaken being introduced where we're really changing how calls are being delivered through the network. The good news is calls will now be verified and attested. And that really brings the promise of far reaching impact for enterprises to the positive. We should have lower costs with fewer call attempts and higher productivity for reaching consumers. Profitability will be enhanced and customer satisfaction should go up.
Abe Nejad: Pierce I want to go with you on the next question, but do you want to add anything to George?
Pierce: Yeah. I'll just mention that from a terminating service provider perspective, the ability to verify that the caller has been vetted, that their identity is known and that they have the authoritative right to use the telephone number is valuable. And additionally, the ability to send along enhanced calling identity information, such as the reason for calling in the logo should help improve call completion rates and it's better trust information available for the caller. [07:39 inaudible] they can accept the call.
Abe Nejad: So Pierce I'm going to stay with you. So is there a difference on how a call is verified when let's say a telephone company signs the calls themselves, or if a delegates certificate is used, is there a difference Pierce?
Pierce: Yes, there are differences between what a service provider can sign and between what an enterprise can sign. And the main difference is, I should also go into, there are two main differences. The first main difference is that service providers can get a different set of certificates than what are available to enterprises and call centers. Then the second main difference, the kinds of signatures that can be applied to the calls using those certificates, I've got three main ways to describe the differences. The service provider can obtain service provider and entity certificates as well as what are called intermediate certificates. And the intermediate certificates are used to issue delegates certificates to enterprises. And then delegate certificate is the only kind of certificate that an enterprise can obtain.
The next difference is, goes on to, or the next two examples are about the differences in the signatures that can be done with those different kinds of certificates. So a service provider is authorized to use their entity certificate to sign calls using four different signature types. The one that's mandated required by law and regulation is the shaken type of signature, but there are three other kinds as well. There is a resource priority header, RPH type of signature. A diversion, which is used for call forwarding and number translations. And finally, the last one is called rich call data and rich called data is the one that would be expected to be used by enterprises for their call centers. And that's the type of signature that allows the enterprise to volunteer additional information about themselves, such as the reason for calling and their company logo. And then the last difference is that a service provider is authorized to use RCD claims in a shaken signature but an enterprise can only use RCD, they can't do any shaken or RPH or diversion kinds of signatures
Abe Nejad: George, anything to add before we move on?
George: Let me just try to unpack that a little bit. I think when a telephone company signs the call themselves, they as the originating service provider can only give that full attestation when they know both the caller and the right that that caller has to use the telephone number. So that knowledge really needs to be based typically based on what numbers they've assigned. And so really as you introduce a delegates certificate, you're enhancing the ability for that originating service provider to understand and trust the fact that the caller has the right to use the TN and then that number and that call can be fully attested as it goes through the network.
In the same way, when a company uses a toll free number, the resp-org, or that responsible organization who manages the toll-free numbers, they're the ones responsible for assigning them. They can use the delegates certificate again to specify the true ownership and therefore ensure that that call is fully attested as it goes through the network.
Abe Nejad: So I want to talk or sort of round out this session talking about trust. We've talked about this subject before, and of course one of the headers of this session is trusted communications. Tom, I'm going to start with you then back to George, and then Pierce if you can finish this off from the operator's perspective. So Tom, how will service providers and enterprises really ensure that delegates certificates will be trusted so that the calls are authenticated and verified? Tom.
Tom: So with verbal call, various verbal call mitigation mechanisms are already out there and they can be much more effective if they can utilize verified calls from a registry. And with better quality data from a trusted source, the voice telephone companies can ensure that they can easily identify legitimate calls and that'll help improve the likelihood, customers will answer their incoming calls from these verified callers.
Abe Nejad: George.
Goerge: Yeah, I think when you look at what's happening here, the trust in the delegates certificate that has been introduced, that's actually rooted in the policy administrator, the STI PA and that policy administrator is Iconnective. All delegates certificates chain back actually to an approved STI certificate authority that were vetted and approved by the policy administrator. But even so it's critical that the certificate authorities are also trusted to properly verify telephone number assignments and that the private keys associated with the delegates certificates are protected from compromise.
Certification authorities can publish signing policies that commit to proper telephone number verification, and a good example would be leveraging registered caller to do so. Registered caller then furnishes the vetted enterprise and associated TN's to the service providers within the shaken framework.
Abe Nejad: And Pierce from the operator's perspective can people trust that they can pick up their calls as soon as this framework is implemented, Pierce?
Pierce: Well, it'll be important for the terminating service provider to make sure that the information that they're wanting to present to their subscribers is information that can be trusted because illegal, robocallers is going to want to use this too, right? They're going to try and get the little green check mark or a number of verified kind of treatment. So it will be really important for service providers to make sure that the information that they're processing for their subscribers is trustworthy and the way they'll do that is looking at information they know has been vetted, both the identity of the caller, as well as the number that they're using. And that's what registered caller will provide us, the resource.
So the trust information that's available is a big deal. And that's one of the reasons why we like what Iconnective has been doing in CTIA with registered caller, because they're professionally vetting the information associated with that caller. And that's important because the policy around issuing the certificates. There isn't anything in the policy that says that the service provider who issues the delegates certificate has done any kind of level of vetting that we know was being done by Iconnective and CTIA. And so that means that there could be service providers who looked the other way, and issue delegate certificates to folks who shouldn't be getting them. And so that's what the big important difference is. Registered caller gives you a resource of vetted information that you can trust.
Abe Nejad: So trusted communications has been a topic we've been discussing for the last two to three years. It's good that the industry is now coming up with a framework to deal with folks out there being able to trust answering their phones once again. I want to say a thank you to T-Mobile or operator on the session. Pierce, thanks so much for your time and your input.
Pierce: You bet. You're welcome.
Abe Nejad: Thank you. And Tom CTIA, we've done this before, quite recently, actually. So we appreciate your time and your input as well.
Tom: My pleasure. Thank you.
Abe Nejad: And George Cray I want to say a special thank you to George for his time and his input, but also their support for this session today and for making today's session possible. So George, thank you and your team as well.
George: Thank you.
Abe Nejad: Appreciate that. And to our audience out there, we thank T-Mobile, CTIA and Iconnective for joining this session on trusted communications, that's extending the ability to verify and authenticate calling parties to include delegates certificates. If you'd like this on-demand session, you can get it on November 5th, by going to the network media group.com, so long.
For any inquiries, please email anejad@thenetworkmediagroup.com