scope:

This document is intended to provide telephone service providers with a framework and guidance on how to utilize Secure Telephone Identity (STI) technologies for the validation of legitimate calls and the mitigation of illegitimate spoofing of telephone identities on IP-based service provider voice networks (also to be referred to as Voice over Internet Protocol [VoIP] networks). The primary focus of this document is on the format of STI claims, the mapping of these claims to the Session Initiation Protocol (SIP) [IETF RFC 3261, SIP: Session Initiation Protocol], and the authentication and verification functions.

Purpose

Using the protocols defined in IETF RFC 8224, Authenticated Identity Management in the Session Initiation Protocol, and IETF RFC 8225, Personal Assertion Token, this document defines the Signature-based Handling of Asserted information using toKENs (SHAKEN) framework. This framework is targeted at telephone service providers delivering phone calls over VoIP, and addresses the implementation and usage of the Internet Engineering Task Force (IETF) Secure Telephone Identity Revisited (STIR) Working Group protocols and the architecture and use of STI-related X.509-based certificates [IETF RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]. It also discusses the general architecture of service provider authentication and verification services. Finally, it provides high-level guidance on the use of positive or negative verification of the signature to mitigate illegitimate use of Caller ID spoofing in general.

Illegitimate Caller ID spoofing continues to be a concern for North American telephone service providers and their customers. There are many Caller ID spoofing mechanisms, and illegitimate spoofing can evolve to evade mitigation techniques. Service provider solutions must therefore be flexible to respond to evolving threats in much the same way as cybersecurity solutions do. In addition, the integration of new technologies into established VoIP networks imposes many interoperability and interworking challenges. As a result, this document is a baseline standard on the implementation of the protocol-related requirements for STI. The objective is to provide a baseline that can evolve over time, incorporating more comprehensive functionality and a broader scope in a backwards-compatible and forward-looking manner.