scope:

This specification extends the capabilities of Signature-based Handling of Asserted information using toKENs ((SHAKEN)) to enable an enterprise to establish enterprise identity credentials by applying distributed ledger technology and its cryptographic principles. A Know Your Customer (KYC) verified enterprise identity allows the enterprise to prove its identity to any participant of the VoIP ecosystem to be assigned or delegated trusted telephone numbers (TNs)) by authorized telephone number service providers (TNSPs) or telephone number resellers (TNRs). Using a KYC-verified enterprise identity credential with an authorized telephone number, the enterprise can place calls signed with its enterprise identity credentials, enabling any originating service provider (OSP) receiving the call to authenticate the enterprise identity credential of the calling enterprise. The OSP can also verify the signing entity's authorization for using the TN from the distributed ledger to mark a call with the SHAKEN "Full" or "A-level" attestation. This distributed ledger infrastructure is called the Enterprise Identity Distributed Ledger Network (EIDLN).

The enterprise identity credential is a W3C Decentralized identifier (DID) recorded on the distributed ledger, authenticated by public/private key pair cryptography. The proof that an enterprise identity has been KYC vetted will be recorded on the distributed ledger by the issuing authority using signed, verifiable credentials (VCs), recorded on the distributed ledger according to the W3C Verifiable Credential format.

All authorized TN assignments or delegations will be recorded on the distributed ledger by the issuing authority using signed VCs recorded on the distributed ledger according to the W3C Verifiable Credential format.

An enterprise will create a SIP identity header on its outgoing calls containing a Personal Assertion Token (PASSporT)) signed with its enterprise identity private key and a reference to the DID credential. The signature and reference will enable any OSP connected to the distributed ledger to authenticate the signed PASSporT using the DID/public key stored on the DLT. The OSP can then verify that the originating TN being used for the outgoing call is authorized for use by the enterprise identity by checking the signed VC for the TN.

When the OSP can authenticate the calling enterprise identity and the originating TN is authorized for use, the OSP can apply SHAKEN A-level attestation to the call.