STIR/SHAKEN CA Ecosystem Compliance

Approved Certificate Authorities in the STIR/SHAKEN ecosystem are required to meet technical requirements from ATIS-1000080 and policy requirements from the supporting CA ecosystem’s Certificate Policy.

This report is broken int two parts:

One generated using Zlint a tool commonly used to asses CA ecosystem compliance with such requirements. The tests used to generate this report are currently not part of the main Zlint distribution but can be found here.
One generated with a custom script that eumerates the known STIR/SHAKEN certificates and asses each repository against the current rule set . The source for this test can be found here while the report itself can be found here.

Summary

Leaf Certificates

4354 certificates were included in the corpus being tested
285 certificates in the corpus were skipped because they are duplicates
3472 certificates in the corpus were skipped because they are expired
7 certificates in the corpus were skipped because they are not currently trusted
590 certificates being tested against the remaining rules
3.63 issues on average found in unexpired, trusted, and non-compliant certificates
92.20% of certificates contain one or more Error level issue
48.81% of certificates contain one or more Warning level issue
1.53% of certificates contain one or more Notice level issue
10.85% of certificates are too old to be assessed against currently enforced expectations
280 days is the average remaining validity for the certificates in the corpus
280 days is the average initial validity for the certificates in the corpus
316 certificates expire in the next 30 days
9.44 average number of unexpired certificates per OCN observed
461 unique OCNs observed in unexpired and valid certificate corpus

CA Certificates

40 certificates were included in the corpus being tested
0 certificates in the corpus were skipped because they are duplicates
0 certificates in the corpus were skipped because they are expired
5 certificates in the corpus were skipped because they are not currently trusted
35 certificates being tested against the remaining rules
2.04 issues on average found in unexpired, trusted, and non-compliant certificates
54.29% of certificates contain one or more Error level issue
48.57% of certificates contain one or more Warning level issue
2.86% of certificates contain one or more Notice level issue
65.71% of certificates are too old to be assessed against currently enforced expectations
5568 days is the average remaining validity for the certificates in the corpus
5573 days is the average initial validity for the certificates in the corpus
0 certificates expire in the next 30 days

Certificate Repository URL

47.63% of certificate repository URLs contain one or more Error level issue
77.63% of certificates repository URLs contain one or more Warning level issue
0.00% of certificates repository URLs contain one or more Notice level issue

Details

* The percent of certificates per issuer is calculated against total certificates from all issuers.
** The percent of errors, warnings and notices is calculated against total observed certificates from the specified issuer.
*** Tests use the ATIS-1000080 and Certificate Policy versions release dates to determine if tests are ran. Certificates issued before these dates are not executed as the rules may not have been enforce at the time.

Leaf Certificates

Issuers	Certificates	Errors	Warnings	Notices	Not Effective
Comcast	52 (8.81%)	52 (100.00%)	52 (100.00%)	0 (0.00%)	0 (0.00%)
GBSDTech	3 (0.51%)	3 (100.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
Martini Security	46 (7.80%)	0 (0.00%)	0 (0.00%)	1 (2.17%)	0 (0.00%)
Metaswitch	50 (8.47%)	50 (100.00%)	1 (2.00%)	0 (0.00%)	39 (78.00%)
NetNumber	8 (1.36%)	8 (100.00%)	1 (12.50%)	8 (100.00%)	0 (0.00%)
Neustar	138 (23.39%)	138 (100.00%)	26 (18.84%)	0 (0.00%)	25 (18.12%)
Peeringhub	7 (1.19%)	7 (100.00%)	1 (14.29%)	0 (0.00%)	0 (0.00%)
Ribbon Communications	10 (1.69%)	10 (100.00%)	10 (100.00%)	0 (0.00%)	0 (0.00%)
Sansay	187 (31.69%)	187 (100.00%)	187 (100.00%)	0 (0.00%)	0 (0.00%)
T-Mobile	2 (0.34%)	2 (100.00%)	2 (100.00%)	0 (0.00%)	0 (0.00%)
TransNexus	87 (14.75%)	87 (100.00%)	8 (9.20%)	0 (0.00%)	0 (0.00%)
Total	590 (100.00%)	544 (92.20%)	288 (48.81%)	9 (1.53%)	64 (10.85%)

CA Certificates

Issuers	Certificates	Errors	Warnings	Notices	Not Effective
Comcast	2 (5.71%)	0 (0.00%)	0 (0.00%)	0 (0.00%)	2 (100.00%)
GBSDTech	2 (5.71%)	1 (50.00%)	0 (0.00%)	0 (0.00%)	2 (100.00%)
Martini Security	3 (8.57%)	0 (0.00%)	0 (0.00%)	1 (33.33%)	0 (0.00%)
Metaswitch	2 (5.71%)	2 (100.00%)	0 (0.00%)	0 (0.00%)	2 (100.00%)
NetNumber	3 (8.57%)	2 (66.67%)	2 (66.67%)	0 (0.00%)	3 (100.00%)
Neustar	6 (17.14%)	4 (66.67%)	6 (100.00%)	0 (0.00%)	4 (66.67%)
Peeringhub	2 (5.71%)	2 (100.00%)	2 (100.00%)	0 (0.00%)	1 (50.00%)
Ribbon Communications	2 (5.71%)	2 (100.00%)	2 (100.00%)	0 (0.00%)	2 (100.00%)
Sansay	2 (5.71%)	0 (0.00%)	2 (100.00%)	0 (0.00%)	1 (50.00%)
T-Mobile	4 (11.43%)	1 (25.00%)	0 (0.00%)	0 (0.00%)	3 (75.00%)
Telonium	2 (5.71%)	2 (100.00%)	0 (0.00%)	0 (0.00%)	0 (0.00%)
TransNexus	5 (14.29%)	3 (60.00%)	3 (60.00%)	0 (0.00%)	3 (60.00%)
Total	35 (100.00%)	19 (54.29%)	17 (48.57%)	1 (2.86%)	23 (65.71%)

Key

Type	Description
Errors	Tests in which the specifications are unambiguous on what the expected behavior must be.
Warnings	Tests in which the specifications are ambiguous or are provide only a recommendation.
Notices	Tests in which industry best practices are not followed.
Not Effective	Tests that exist in the current specifications but were not in effect at the time of issuance.

Generated: 02 Jun 23 01:12 UTC

This site is open source. Improve this page.