Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

[sean at donelan.com (Sean Donelan)]

On Sat, 7 Mar 2020, John Levine wrote:
> This must be some DKIM other than the one the IETF standardized and
> every large mail provider uses to manage mail streams.  There's no
> CA's, you publish your own verification key in your DNS, and it costs
> nothing beyond the software upgrades to use.

Most DNS registers avoid verifying customer information as long as the 
payment clears (for a short time).  DKIM (and DNSSEC) is built on top of 
trusting tokens from third-parties which disclaim all liability.

Cryptography is not magic pixie dust.  It won't create trust between 
unknown parties.  Cryptography works between parties already known to 
each other to verify existing trust. Phone companies and advertisers have 
already demonstrated they can't be trusted to act as third-party 
introducers.  They are more than willing to sell-out that trust to the 
highest bidder.

The reality is my phone already knows the numbers of my circle of friends 
and loved ones.  Overseas call centers randomly generating phone numbers 
aren't matching the subset of phone numbers that cause my phone to ring.
When the scammers start matching social media circles and phone numbers, 
then I'll need something new.

Eventually we'll have STE/STU-equivalent end-to-end verification on our 
smartphones.