SSP: Wal-Mart Analogy
I personally dislike analogies since it is always subjective, but when I can
get my wife to understand the technical work and time I am spending here and
get her to actually provide eye widening feedback, then maybe this Wal-Mart
analogy is pretty good at illustrating all the points the parties have with
SSP.
Background:
A few weeks back, my Mr. Coffee maker stop working after dinner and I wanted
to go to a local store to pick up a new one. I asked my wife where I can go
nearby and she said:
Andrea:
"You can go to the new Wal-Mart. I just got a Wal-Mart card. I
just got to sign it, call it in and authorized it."
Hector:
"Oh good, so you can come with me. Never been in Wal-Mart."
Andrea:
"Oh no, you go...wait no, its under my name.... Do you really
need it now? I will go tomorrow. Use the Espresso maker."
Hector:
"Nah, I need my regular juice. Ok, Just call it up and put me
in the list."
Andrea:
"Can I do that?"
Hector:
"Ask them. I doubt Wal-Mart cashier is going to check anyway,
and even if they do, I'll pay cash. I just going to get one of
those 4 cup Mr. Coffee makers for $20-30."
Andrea calls up the 800 number, signs it and ask the CSR if her husband can
use it. Listening to her reiterate the CSR response out loud, they said no,
but she can add my name to the list and they will send out my own card.
Andrea:
"You can't use it. I'll go tomorrow."
Hector:
"Just give it to me. I doubt they are going to check."
So I go to Wal-Mart, a HUGE complex, the elder store guide at
lobby pointed the area of the store I had to go. A good exercise
walk, I picked it up, and went to the less than 10 items check
out line.
There were two people ahead of me. I noticed a card reader. I thought to
myself that I don't look like a criminal, dressed cleanly, good professions
hair cut, a low cost item, she is not going to ask me for i.d.
Processing the two people of head of me, one used cash and the
other used a check which the cashier asked for two I.Ds.
I wondered now if maybe she will ask for an I.D. Will she look
at the card name and notice the woman name? Maybe she will misread
it as Andrew?
Well, she did not ask for the I.D or look at the card. I swiped
the card in the card reader, got the receipt and carried the box out
the store trying not to act suspicious. I felt like I got away with Murder!
<g>
Yesterday, in trying to explain the different philosophies in
this group, I used the Wal-Mart example where I was allowed to
use the card when it was company policy that I do not.
I raised the question to her:
"Why didn't the Wal-Mart cashier ask for my I.D or check the
card name or check to see if it was signed? Your card,
your email address, could of been stolen!"
With that she understood the debate about DKIM and signature
policies.
Her basic reaction was:
"Wal-Mart should of checked even if you were my husband. This
is why we have identity thief... This is why we have stolen
cards and fraud... The workers in Wal-Mart are idiots!"
Now I switched to into devil's advocate mode and asked:
"So unless they Wal-Mart workers follows policy, it doesn't
matter what security measures you have?"
Andrea:
"Absolutely, they have to check otherwise I could of have
been blamed for any fraudulent purchases."
Hector:
"But maybe, like AMEX who has a $50 trigger point, that's
still true right? Anyway, maybe if I was buying a T.V,
or camera, a High-Value item like High-Value Email,
maybe then she would check? No?"
Andrea:
"I hope so!! But they should do it FOR all purchases and
for DKIM emails too! No excuse."
I was really tinkled pick she threw in "DKIM emails" :-)
Hector:
"But lets now switch it around. Suppose it was my card and
you wanted to go to Wal-Mart to buy some things. I know
you will scream bloody hell.. 'I'm his WIFE!! Call
the OFFICE!!'..."
Andrea:
"eh, well true, and you would of done the same, but that
is why we have so many damn problems with I.D thief
and stolen cards. You tell that Levine guy he is wrong."
Hector:
"But maybe he is right. If the cashier was suspicious of me,
she would then maybe ask for I.D. After all, I look more
Jewish than you are, and you look more Latin than me! You're
the one with the olive skin!" So either you like me or you
don't. If I look suspicious, the cashier will check."
Andrea:
"Well, they should check the obvious - card name! That is
very obvious! If it is different, then asked for the I.D and
then call the office and see that I had just put your name on
the list..."
Hector:
"Right! That is what I am saying! You always check! and
like the other guy Doug was saying... check the list."
I also added:
"It is like the first level checks a cop does when he
ask for your Driver License and Registration. If he
expected obvious things on the ID do not match, it
raises red flags!"
Andrea:
"Yes, you should always check. Wal-Mart was wrong!"
Hector:
"Wal-Mart or the cashier? Remember there might be some
condition or purchase amount before they ask questions. What
we are really talking about is amount of damage that can
happen, not just Wal-Mart but to you. They are not going
waste time with low-value $20.00 items."
Andrea:
"Why not? They should always check because it is the
little guy that will pay the price anyway. If the big
guys is going to allow the little things go by, the crooks
will also try to do the little things to the little companies
where $20 means something to them!"
Hector:
"That's why I married you! <kiss>. Can you brew me some
coffee?"
And with that, it ended.
Analysis:
I guess, there is all kinds of angles to take here, including
that it doesn't apply.
But I think it does and its the very essence of what is going on.
I have the strong belief that strong compliancy in the
expectation of operations is the first thing required in order to
secure the DKIM-BASE signature. I have the belief that once DKIM
is released to the market, that will also be the natural
expectation of customers too. Finally, something to protect my
domain!!
On the other hand, there might be a payoff on what type of
messages are considered worth such high scrutiny. I think Doug
touched based with this idea which was also proposed as part of
CAM-SPAM, I believe Carl Malamud also had a 2-3 old I-D on a
message type ident.
But I believe even then, there is a strong compliancy concept as
well. If I don't want X kind of mail, and the sender sends Y
kind of mind, that is a strong indication for failure just as
well. A policy based on Message type was not met.
Then we have the idea of using 1 card (domain) for multiple
people. The ISP and all its low-tier users use the same domain
name for their unique email addresses. They can use the same card
(domain) to send mail (make purchases).
All in all, from a big picture standpoint we need all these
things, including "Subjective" reputation ideas.
My only real point in this story is that it won't really matter
much in addressing mail problems if the expectation for protocol
and policy compliancy and consistency is weak.
---
Hector Santos
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html