appliedbits
LIBRARY  ·  IETF LIBRARY ENTRY
Last updated 2026-05-06 drafted

RFC 8588 — PASSporT Extension for SHAKEN

RFC 8588 (Wendt, Barnes — May 2019) is the IETF specification that defines the SHAKEN PASSporT extension type. It encodes the attestation level (A, B, or C — the originating provider’s confidence in the calling party’s authority over the calling number) and the origination identifier (origid — a UUID identifying the originating service-provider component within its network) into a PASSporT, registers them in the JWT Claims registry, and registers shaken as a PASSporT extension type. I am co-author. The document is the IETF protocol substrate under ATIS-1000074, the SHAKEN operational specification — every SHAKEN-signed call in deployment carries an 8588 PASSporT.

What it specifies

Two JWT claims plus the PASSporT type registration:

  • The attest claim. A string-valued claim with three permitted values — A, B, or C — corresponding to full, partial, and gateway attestation as defined by SHAKEN. The semantics of each level are defined in the ATIS spec; this document just encodes them on the wire.
  • The origid claim. A UUID identifying the originating service-provider component (or class of components) that signed the PASSporT. Used downstream for analytics and traceback when calls are problematic — provides a within-network identifier without leaking customer identity.
  • The shaken PASSporT extension type. Registered in the PASSporT Extensions registry per RFC 8225. The type discriminator tells verifiers that the PASSporT carries the SHAKEN-specific claims.

The on-the-wire structure is otherwise standard PASSporT — a JWS-signed JSON token with the base claims (orig, dest, iat) plus the SHAKEN-specific additions.

Why a revision is in flight

The originally-specified attest and origid claim formats allow encoding choices that, in retrospect, expose more information than necessary. The privacy considerations section of 8588 itself flags the concern: an origid generated with a predictable structure can leak information about service elements through correlation across calls. draft-ietf-stir-8588bis is the active working-group document that revises 8588 to tighten these areas, register the type more cleanly, and incorporate operational lessons from the years since deployment.

The revision will obsolete this RFC when published. For now, all deployed SHAKEN signing reads from the original 8588 spec.

Where this document is referenced

  • SHAKEN is the operational framework that profiles this PASSporT extension into the deployed US ecosystem.
  • Attestation levels covers the A/B/C semantics that this document encodes.
  • RFC 8225 is the base PASSporT spec that 8588 extends.
  • draft-ietf-stir-8588bis is the in-flight revision.