This document proposes a scheme for authenticated caller ID to help combat phone fraud. It involves caller ID verification by a certificate authority to obtain a caller ID certificate. An authenticated call request is then generated using the certificate, including a digital signature, timestamp, and caller identity certificate. Benefits include immediate verification of call source and a foundation for spam defenses. Security considerations address certificate revocation and local deployment challenges. Future work involves standardization, implementation, and commercialization of the authenticated caller ID scheme.
24. Key Benefits
Immediate cue of a verified source
Provides a foundation for spam defenses
Promotes vigilance for identity verification
Provides assurance for doing business
over the phone
30. • Provide proof of E.164 ownership to a
CA
• Obtain a Caller ID Certificate
• Use Caller ID Certificate to generate
Authenticated Call Requests
Caller ID Verification
31. • Generate an extended IAM with a digital
signature using the Caller ID Certificate
• Validate the IAM signature
Authenticated Call Request
32. • UTC Timestamp (UNIX time)
• X.509 certificate format
• International E.164 format
• Parameter Compatibility Information
parameter (Q.764.2.9.5.3.2)
Other Details
Parameter Type Length (octets)
UTC Timestamp Optional Part 4-?
Signature Algorithm Optional Part 1-?
Signature Optional Part 16-?
Caller Identity Certificate Optional Part 32-?
33. • Certificate Revocation to guard against
stolen identity
– E.g. stolen certificate, cell phone theft, etc.
• Recommend: Certificate Revocation List
with short-term certificates
– No stalling, OCSP can cause stalling
– Reduce list size
– Risk containment
Security Considerations
34. Local Deployment
Considerations
• Presenting the security indicator to the
called party
• Use a flag indicator, only if
– Local exchange network connection is secured
– Identity of the local exchange carrier is
authenticated
– Call request header is integrity protected
• Recommend: Forwarding of the extended
IAM parameters
Today spam distribution technology has become more advanced and more accessible than ever. With the rise of cloud computing, there are now hundreds of autodialer services that are accessed over the internet, with advance features such as simultaneous calling, interactive voice response and customizable caller ID.
In order to better understand telephone spam from the spammer’s perspective, we also asked, how does a spammer operate?
This is what the PSTN used to look like.
However, With introduction of IP access to the PSTN, the spammer is now further insulated from law enforcement.
And with IP access, the spammer could now further evade law enforcement by hiding behind VPNs and Tors.
To make matters worse, the spammer could reside anywhere in the world beyond the jurisdiction of the law enforcement.
Another way is to defeat call blockers and make the call seem more legitimate is to use a fake caller ID number. With most autodialers, The caller ID number can be easily spoofed because current call protocols do not have a built-in authentication mechanism. The carriers also do not have a legal obligation to ensure that the caller ID number is verified. In fact, some VoIP carriers sell customizable caller ID as a service feature.
So you might ask what about law enforcement?
Right now, there is a sever lack of accountability in telephone identities, until that changes, we’re still going to have vast amounts of robocalls and scam calls hurting consumers and businesses.
Talk about why TLS cannot be applied in deplorability, and STIR
Give a bit more background of cert revocation and why it matters. Some stories.