Re: FCC proposes $10 Million fine for spoofed robocalls

[Christopher Morrow <morrowc.lists () gmail com>]

On Fri, Dec 20, 2019 at 1:40 PM Michael Thomas <mike () mtcc com> wrote:
> On 12/19/19 9:14 PM, Christopher Morrow wrote:
> > > Plus if it didn't work well/too cumbersome/etc with email, it probably
> > > won't be any better with voice. We have lots of experience with what
> > > doesn't work for email.
> > I sort of figured that the shaken/stir model that ( i happened to
> > propose in their first meeting) of:
> >    "get the originator (handset, ebony phone, call-warehouse) to
> > digitally sign the call initiation, propagate that through the network
> > to the receiver (so they could associate the
> > md5/sha256/cert-signature/etc with an identity, and let the receivers
> > decide: 'Not in my known callers list, no answer'"
> >
> > was a great plan... that the folk in the room basically didn't
> > understand (or even want me to voice, actually)... It's a shame that
> > something like this wasn't created instead of shaken/stir. You could
> > check the signature at any of the hops, start failing calls earlier as
> > rates of completion didn't stay at some standard level. All sorts of
> > options would be available, and really the callers could be identified
> > (at least by endpoint) more quickly.
> >
> > oh well. glad we got shaken / stir though? :)
>
>
> SHAKEN is trying to solve e.164 problem which inherently hard and
> subject to a lot of cases where it fails. Their problem statement is
> worth the read if you're interested.

I'll have to go read, I didn't pay attention much to stir/etc after
the first meeting when it was made very clear that they really didn't
want opionions from outside their group (at that time) or
thoughts/ideas that came from outside the bell-shaped-head space. is
fine, I had many other problems to solve.

> But the reality is that it's a pretty SIP-y world these days, and the
> proper identity for SIP is the From: address, not the e.164 address.
> Since From: addresses contain domain names, you can tie identity to the
> domain itself, instead of trying to make sense of telephone number
> delegations. It would be trivial to attach a signature to the SIP
> INVITE's -- we've been doing that for 15 years with email, and then you
> at least know that the INVITE came from the domain it purports to be
> from. It works even for PSTN last legs because the PSTN headend can
> place the From: address in the caller id. Armed with that knowledge, you
> can filter to your heart's content.

this is sort of what I was imagining, except that the caller's handset
(or copper receiver at the end of my ebony phone (in the CO)) could
stamp my call with the correct signature for 'me'.

Ideally 'number' or 'person face' or 'video dancing hamster' makes no
difference here.
Oh my handset I see a picture of your smiling face (or randys or even
seans...) and I (if I agree that's whom I'm talking to) I click the
'verified' button and now only that sent 'certificate' can pretend to
be the person I'm talking to.

Setup some call screening system at the telco, people that last can
get 'verified' by the reciever.. bob's yer auntie and robo callers go
away.

> And since we've been told that 5G is a magic elixir that will wash our
> clothes and dress our dogs, our new phones can just be SIP UA's instead
> of going through the PSTN nonsense at all.

the think is.. SIP doesnt' matter here.. not really.
or I don't care about the carriage, as long as I can say: 'the think
I'm talking at on the 'far end' is whom they say they are...
verified... no one else can pretend to be that thing/person/etc"

> STIR/SHAKEN seems like a solution to a problem whose time is way overdue
> to be retired.

maybe.