[harrall]

Phone calls now produce JSON Web Tokens that identify users with cryptographic signatures. This was codified around 2018 by the IETF, SIP Forum, and ATIS.

So the public phone system now supports it, but the problem is that not all providers support it yet, which fundamentally weakens the system. Of course, you can’t just add a new “protocol version” to an over-100 year old phone system with zero time to do a migration.*

But now that it’s been a few years, we are reaching a point where, at least for the US, the FCC wants to ban any provider who hasn’t added support.

*simplification

[derekp7]

Are the signatures available to the end user? I would love to set up a call screener that only accepts verified calls, as most spam uses spoofed numbers. I'm assuming that the major players implement the protocol at least .. I'm ok if the filter rejects things that aren't real land lines or cell phones.

[wolrah]

> Are the signatures available to the end user?

That's up to your carrier.

In general "hosted" services will hide the actual token from the end user, though they may offer either filtering features or the ability to tag calls in the Caller ID based on their signature.

Trunking services designed to feed in to a customer-controlled PBX will usually offer either the same sorts of filtering/tagging or complete passthrough of the token.

[nsporillo]

This is only possible if the call transits through all IP networks. If the call at any point goes over TDM, and out of band shaken is not implemented, then the signature is lost.

End to end authenticated calls is the ideal state, but I don't think we're fully there yet.

[harrall]

Definitely not even close to fully there yet but getting the VoIP providers to do it is an important step.

Rolling this out is like when the world first rolled out DKIM/SPF for email. You need to reach a critical mass of adoption before the data is useful.