Nice coverage of STIR/SHAKEN!
I’m actually involved with implementing STIR/SHAKEN at the carrier where I’m employed. Let me just add a few notes that might be helpful.
(Haven’t read all the comments, so apologies if this was already mentioned).
I think of STIR/SHAKEN for spam calls as being a lot like Domain Keys for spam email. DK places a responsibility on the carrier originating the email to cryptographically sign the body and headers of emails going out, including the From header, so you can trust the email came from who it says. Then the receiving mail carrier can use a public key to check to make sure the email is authentic (including not tampered with) before dropping it into your mailbox. And they can stamp it with some type of indicator header to that effect.
STIR/SHAKEN basically does the same for phone calls.
This leads me to my second point.
Just knowing a caller is who they say they are doesn’t block the call or really help you much at all unless they really did spoof a CallerID that you know. I find those calls to be a tiny fraction of spam calls.
So to help add some real value, some carriers are implementing features that go above and beyond what is required by the STIR/SHAKEN mandate by offering Robocall Mitigation and Reputation Scoring. These extra features check the CalledID against a (typically shared) database of statistically bad offenders and so give the call a reputation score. They can then use this score to replace the Calling Name that displays on your receiving device with something like “Spam Risk”. Or they may block the call completely if the reputation is super low. This is, again, very similar to the Real-time Blackhole List (RBL) that many ISPs like us subscribed to 20 years ago to block spam email.
This is when you’re really reaping the benefit of STIR/SHAKEN. But you can see that Robocall mitigation and Reputation Scoring are useless to try to implement if someone can pretend they’re someone else, and therefore steal their reputation. That’s why getting a system that allows us to trust CallerID, as STIR/SHAKEN does, is foundational for all these other cool features.
Very excited to possibly be moving towards a more trustworthy phone network!