On May 26, 2010, at 12:46 PM, Brett McDowell wrote:
Paypal is claiming an operational benefit, but haven't actually
demonstrated that ADSP either provides that benefit, nor that
those benefits can't be provided in a significantly cheaper manner.
I thought I had. Remember that business about 100 million phishing attacks
being blocked (DKIM alone would not have delivered that... it was our policy
assertion and the acceptance to act on that policy assertion that made this
happen)?
Should ADSP be deployed widely, and it were to be used by PayPal, then any of
the smarter phishers would not continue to send mail that would not be
delivered.
They would continue to send phish email, of course, just not of a form that
would be blocked by ADSP. At best this would cause the badly done phishing
emails to be blocked while allowing the ones sent by smarter criminals to be
delivered.
Given that, it's not something that will provide any benefit once ADSP is
deployed - maybe just the opposite, as it will effectively neuter the approach
you're currently using. You may win the battle of preventing use of the string
"paypal.com" in the non-displayed part of the From: field, yet lose the war of
protecting your users from phishers.
What do I need to show you guys before you accept that I have demonstrated
that ADSP provides operational benefit?
You need to go beyond "We do this" to "We do this, and our opponents will
respond with that, and we will respond with the other ...". This isn't a
protocol that's used solely between honest peers, it's something that is solely
for thwarting bad guys in a hostile environment.
There are clearly approaches that can be build on top of DKIM that would be
extremely effective in that environment. There's no data so far to suggest that
ADSP is one of them.
(ADSP could provide benefits when combined with something like certification or
whitelisting - but in those cases you can skip the publication of ADSP records
altogether, and apply the certification or whitelisting results directly, based
on DKIM authentication).
And every bit of ISP or sender resources or mindshare that is consumed by ADSP
is focus that's not expended on approaches that are likely to be more
effective, both immediately and longer term. Something corresponding to
extended validation SSL certificates, perhaps.
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html