March 2025: The Role of Certificate Revocation and Trust Lists in STIR/SHAKEN

The STIR/SHAKEN ecosystem relies on two critical components to maintain its integrity: the Certificate Revocation List (CRL) and the Trusted CA List. These mechanisms form the backbone of trust and security in STIR/SHAKEN enabled networks.

The Trusted CA List

The Trusted CA List serves as the anchor of trust for STI (Secure Telephone Identity) certificates. This curated list ensures only verified entities can participate in the STIR/SHAKEN ecosystem.

Key Characteristics

• Strict Approval Process: Only approved Certificate Authorities (STI-CAs) can be included in this list.
• Dynamic Nature: The list is not static but evolves with the deployment of new root certificates or changes in the CA landscape.

Before obtaining an STI certificate, Service Providers must present a Service Provider Code (SPC) token to their STI-CA of choice, proving their eligibility. This ensures only authorized Service Providers are able to obtain a valid certificate to sign their calls. 

The Certificate Revocation List

The Certificate Revocation List (CRL) is a security mechanism that maintains a current list of certificates that are no longer considered trustworthy. Unlike static blacklists, the CRL is a dynamic, carefully managed inventory of compromised or invalidated certificates.

Reasons for Certificate Revocation

Certificates can be revoked for various critical reasons:

• Security Compromise: When there's evidence that a private key has been breached.
• Ecosystem Removal: When a Service Provider is expelled from the STIR/SHAKEN ecosystem.
• Certificate Replacement: Revoking older certificates when new ones are issued to prevent potential misuse.
• Policy Violations: Addressing breaches of established operational guidelines.
• Organizational Changes: Reflecting changes in an organization's structure or operational status.

Revocation Request Process

The revocation process is rigorous and involves multiple stakeholders:

• Revocation requests can be initiated by Service Providers, the Policy Administrator (STI-PA), Certificate Authorities (STI-CA), Governance Administrator (STI-GA), or regulatory bodies.
• Every revocation request undergoes thorough authentication by the STI-PA before being added to the CRL.

How the Revocation and CA List Protect the Network

STIR/SHAKEN Verification Services (STI-VS), typically operated by Terminating Service Providers, play a crucial role in maintaining network security. These services:

• Continuously update the CRL and Trusted CA List.
• Validate STIR/SHAKEN signatures against established criteria.
• Automatically reject calls from revoked certificates.

Consider a Service Provider being suspended from the STIR/SHAKEN ecosystem. With a properly integrated STI-VS, such as Sansay NSS, the network can immediately and automatically reject all traffic associated with that provider's revoked certificates, ensuring swift and comprehensive protection.

Another example are certificates with self-signed signatures or a root certificate outside of the Trusted CA List. While the signature of these calls may appear legit, if the certificate was not issued by an authorized CA, then all of this traffic is to be rejected. 

The Certificate Revocation List and Trusted CA List are more than administrative tools—they are dynamic systems that protect the integrity of the ecosystem. These lists ensure that the STIR/SHAKEN ecosystem remains secure, reliable, and resilient.