Roger Anderson's Caller-ID Vouching and Vetting
IETF STIR WG announce · Roger Anderson · May 8, 2026 · source ↗
Roger Anderson of Jolly Roger Telephone Company has posted a new Internet-Draft, Caller-ID Vouching and Vetting (CIDVV), that proposes verifying caller identity by reachability. The mechanism: before the real call goes out, the originator’s CIDVV platform places a short, intentionally failing vouching call with a reserved digit prefix (“100” or “101”) and a token encoded inside the Calling Party Number. The terminating side observes the failure response, caches a (Asserted-Caller-ID, CIDVV-Token) tuple, and — when the real call arrives — looks the tuple up to confirm the calling party can actually receive a call at the number they claimed. No PKI, no new SIP headers, no SS7 changes. As the abstract puts it: CIDVV “improves resistance to Caller-ID spoofing by requiring demonstrable control of the Asserted Caller-ID, while remaining incrementally deployable and tolerant of intermediate network modification.”
It is worth knowing where this comes from. Jolly Roger Telephone Company is the outfit behind the long-running Lenny-style honeypot bots — the project that has done more than most to actually waste scammers’ time. Anderson has spent years in the parts of the call graph where the protocol stack does not protect anyone: international gateways, TDM tails, the long edges where SHAKEN attestation has been laundered out by the time the call arrives.
The reason to read the draft carefully, though, is that it is quite a departure from the normal call model. Every authenticated call now requires two signaling transactions — the preceding vouch and the call itself — where STIR delivers identity attestation inside the one transaction that has to happen anyway. CIDVV also asks the originating and terminating platforms to share a credential, in the form of token semantics and cache state they both interpret the same way, where STIR asks the terminator only to fetch an easily attainable certificate and verify a signature against the public chain. That is a meaningful asymmetry in per-call cost and in the bilateral coordination required between every pair of participating endpoints. An interesting take all the same — and glad Roger is contributing it. The instinct that the unattested long tail needs something is the right instinct, and proposals from that vantage point are the kind of work worth having on the table.
(And the choice of “100” and “101” as the reserved prefixes is, this publication is obliged to note, a perfectly acceptable Applied Bits.)