STIR/SHAKEN CA Ecosystem Compliance

Approved Certificate Authorities in the STIR/SHAKEN ecosystem are required to meet technical requirements from ATIS-1000080 and policy requirements from the supporting CA ecosystem’s Certificate Policy.

This report is broken int two parts:

One generated using Zlint a tool commonly used to asses CA ecosystem compliance with such requirements. The tests used to generate this report are currently not part of the main Zlint distribution but can be found here.
One generated with a custom script that eumerates the known STIR/SHAKEN certificates and asses each repository against the current rule set . The source for this test can be found here while the report itself can be found here.

Summary

Leaf Certificates

10211 certificates were included in the corpus being tested
820 certificates in the corpus were skipped because they are duplicates
8546 certificates in the corpus were skipped because they are expired
471 certificates in the corpus were skipped because they are not currently trusted
374 certificates being tested against the remaining rules
1.69 issues on average found in unexpired, trusted, and non-compliant certificates
92.25% of certificates contain one or more Error level issue
0.00% of certificates contain one or more Warning level issue
0.00% of certificates contain one or more Notice level issue
12.30% of certificates are too old to be assessed against currently enforced expectations
494 days is the average remaining validity for the certificates in the corpus
494 days is the average initial validity for the certificates in the corpus
50 certificates expire in the next 30 days
14.84 average number of unexpired certificates per OCN observed
688 unique OCNs observed in unexpired and valid certificate corpus

CA Certificates

48 certificates were included in the corpus being tested
0 certificates in the corpus were skipped because they are duplicates
0 certificates in the corpus were skipped because they are expired
7 certificates in the corpus were skipped because they are not currently trusted
41 certificates being tested against the remaining rules
2.29 issues on average found in unexpired, trusted, and non-compliant certificates
41.46% of certificates contain one or more Error level issue
0.00% of certificates contain one or more Warning level issue
0.00% of certificates contain one or more Notice level issue
70.73% of certificates are too old to be assessed against currently enforced expectations
5690 days is the average remaining validity for the certificates in the corpus
5612 days is the average initial validity for the certificates in the corpus
0 certificates expire in the next 30 days

Certificate Repository URL

88.77% of certificate repository URLs contain one or more Error level issue
92.51% of certificates repository URLs contain one or more Warning level issue
0.00% of certificates repository URLs contain one or more Notice level issue

Details

* The percent of certificates per issuer is calculated against total certificates from all issuers.
** The percent of errors, warnings and notices is calculated against total observed certificates from the specified issuer.
*** Tests use the ATIS-1000080 and Certificate Policy versions release dates to determine if tests are ran. Certificates issued before these dates are not executed as the rules may not have been enforce at the time.

Leaf Certificates

Issuers	Certificates	Errors	Warnings	Notices	Not Effective
GBSDTech	4 (1.07%)	4 (100.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
Martini Security	16 (4.28%)	0 (0.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
Metaswitch	64 (17.11%)	64 (100.00%)	0 (0.00%)	0 (0.00%)	36 (56.25%)
NetNumber	3 (0.80%)	3 (100.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
Neustar	144 (38.50%)	144 (100.00%)	0 (0.00%)	0 (0.00%)	10 (6.94%)
Peeringhub	17 (4.55%)	11 (64.71%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
Ribbon Communications	19 (5.08%)	19 (100.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
Sansay	69 (18.45%)	69 (100.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
T-Mobile	1 (0.27%)	1 (100.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
Telonium	21 (5.61%)	15 (71.43%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
TransNexus	16 (4.28%)	15 (93.75%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
Total	374 (100.00%)	345 (92.25%)	0 (0.00%)	0 (0.00%)	46 (12.30%)

CA Certificates

Issuers	Certificates	Errors	Warnings	Notices	Not Effective
CTIA	1 (2.44%)	1 (100.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
Comcast	2 (4.88%)	0 (0.00%)	0 (0.00%)	0 (0.00%)	2 (100.00%)
GBSDTech	3 (7.32%)	2 (66.67%)	0 (0.00%)	0 (0.00%)	2 (66.67%)
Martini Security	4 (9.76%)	0 (0.00%)	0 (0.00%)	0 (0.00%)	2 (50.00%)
Metaswitch	4 (9.76%)	4 (100.00%)	0 (0.00%)	0 (0.00%)	2 (50.00%)
NetNumber	3 (7.32%)	2 (66.67%)	0 (0.00%)	0 (0.00%)	3 (100.00%)
Neustar	6 (14.63%)	1 (16.67%)	0 (0.00%)	0 (0.00%)	6 (100.00%)
Peeringhub	2 (4.88%)	2 (100.00%)	0 (0.00%)	0 (0.00%)	2 (100.00%)
Ribbon Communications	2 (4.88%)	1 (50.00%)	0 (0.00%)	0 (0.00%)	2 (100.00%)
Sansay	2 (4.88%)	0 (0.00%)	0 (0.00%)	0 (0.00%)	2 (100.00%)
T-Mobile	4 (9.76%)	1 (25.00%)	0 (0.00%)	0 (0.00%)	4 (100.00%)
Telonium	5 (12.20%)	3 (60.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
TransNexus	3 (7.32%)	0 (0.00%)	0 (0.00%)	0 (0.00%)	2 (66.67%)
Total	41 (100.00%)	17 (41.46%)	0 (0.00%)	0 (0.00%)	29 (70.73%)

Key

Type	Description
Errors	Tests in which the specifications are unambiguous on what the expected behavior must be.
Warnings	Tests in which the specifications are ambiguous or are provide only a recommendation.
Notices	Tests in which industry best practices are not followed.
Not Effective	Tests that exist in the current specifications but were not in effect at the time of issuance.

Generated: 05 Apr 24 19:04 UTC

This site is open source. Improve this page.