Background: Why STIR/SHAKEN Exists
STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are a pair of interlocking standards developed to combat illegal caller ID spoofing — the practice of falsifying the number displayed to a called party. Spoofing underlies the majority of robocall fraud and impersonation scams that have eroded consumer trust in voice calls over the past decade.
Mandated in the United States by the TRACED Act, and adopted in various forms across Canada, the UK, and the EU, STIR/SHAKEN uses cryptographic certificates to assert the relationship between a carrier and the calling number. Each call receives a PASSporT (Personal Assertion Token) — a digitally signed JSON structure embedded in the SIP Identity header.
The Three Attestation Levels Explained
The most operationally significant element of STIR/SHAKEN for service providers is the attestation level — a single character (A, B, or C) that communicates how much confidence the signing carrier has in the calling party's identity.
A — Full Attestation
The originating carrier fully attests that it has a direct relationship with the calling party, has verified their identity, and that the subscriber is authorised to use the calling number presented. This is the gold standard. Calls bearing A-attestation are given maximum trust by terminating carriers and analytics engines, resulting in the highest delivery rates and most favourable caller ID display outcomes.
To sign with A-attestation, a carrier must have provisioned the number to the customer directly and maintain records sufficient to demonstrate authorised use.
B — Partial Attestation
The originating carrier knows the customer but cannot fully verify that the customer is authorised to use the specific number presented. This commonly arises in reseller and aggregator scenarios where an intermediate provider has provisioned numbers that the signing carrier cannot directly verify. B-attestation still provides meaningful fraud reduction — it confirms the call entered the PSTN from an identifiable source — but is treated with less trust than A by termination analytics.
C — Gateway Attestation
The carrier is signing at the point of entry to the IP network from a non-IP origin (e.g. TDM interconnect, international gateway) and cannot make any assertion about the calling party. C-attestation is the weakest form and is frequently associated with international traffic transiting multiple carriers. Calls bearing C-attestation are more likely to be flagged by spam analytics and may display reduced or no caller ID branding on the called party's device.
Impact on Routing and Delivery Rates
Downstream carriers and analytics providers — including Hiya, First Orion, and TNS — factor attestation level heavily into spam probability scoring. In 2026, the correlation between A-attestation and clean delivery is well established:
- A-attested calls see answer rates up to 35% higher than C-attested calls in analytics-equipped networks.
- Calls without a PASSporT (unsigned) are increasingly blocked outright by major carriers in the US and Canada.
- EU implementations under eIDAS 2.0 are beginning to mirror the A/B/C framework with cross-border attestation portability.
Obligations for Originating and Transit Carriers
If you are an originating carrier, you are responsible for signing all calls before they leave your network. If you cannot achieve A-attestation for a given trunk, you must document why and apply the appropriate lower level — signing with a higher attestation than you can verify is a regulatory violation.
Transit carriers handling calls they did not originate must pass through any existing PASSporT without modification. If a call arrives unsigned, a transit carrier may apply C-attestation at the gateway, but must not strip or alter an existing signature.
Certificate Management and the SHAKEN PKI
Signing requires a certificate issued by an approved Certificate Authority (CA) within the SHAKEN Public Key Infrastructure (PKI), governed by the STI-GA (Secure Telephone Identity Governance Authority). Certificates must be renewed regularly and stored securely. Certificate compromise or expiry causes signing to fail — resulting in unsigned calls that terminating carriers treat as untrusted.
Best practice in 2026 is to automate certificate lifecycle management rather than relying on manual renewal processes. Mokrina handles certificate management for all customers routing traffic through our network, eliminating this operational overhead.
Practical Steps for Service Providers
- Audit your number inventory to confirm which numbers you can legitimately sign with A-attestation.
- Review your reseller agreements to understand what attestation level is appropriate for their traffic.
- Implement automated PASSporT generation on your Session Border Controllers (SBCs).
- Monitor attestation distribution in your CDRs — a sudden spike in B or C attestation may indicate a provisioning or configuration issue.
- Engage your upstream carriers to confirm their attestation policies and transit handling.