ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion

2010-05-26 16:03:34

On May 26, 2010, at 12:46 PM, Brett McDowell wrote:

Paypal is claiming an operational benefit, but haven't actually
demonstrated that ADSP either provides that benefit, nor that
those benefits can't be provided in a significantly cheaper manner.

I thought I had. Remember that business about 100 million phishing attacks 
being blocked (DKIM alone would not have delivered that... it was our policy 
assertion and the acceptance to act on that policy assertion that made this 
happen)?  

Should ADSP be deployed widely, and it were to be used by PayPal, then any of 
the smarter phishers would not continue to send mail that would not be 
delivered.

They would continue to send phish email, of course, just not of a form that 
would be blocked by ADSP. At best this would cause the badly done phishing 
emails to be blocked while allowing the ones sent by smarter criminals to be 
delivered.

Given that, it's not something that will provide any benefit once ADSP is 
deployed - maybe just the opposite, as it will effectively neuter the approach 
you're currently using. You may win the battle of preventing use of the string 
"paypal.com" in the non-displayed part of the From: field, yet lose the war of 
protecting your users from phishers.

What do I need to show you guys before you accept that I have demonstrated 
that ADSP provides operational benefit?

You need to go beyond "We do this" to "We do this, and our opponents will 
respond with that, and we will respond with the other ...". This isn't a 
protocol that's used solely between honest peers, it's something that is solely 
for thwarting bad guys in a hostile environment.

There are clearly approaches that can be build on top of DKIM that would be 
extremely effective in that environment. There's no data so far to suggest that 
ADSP is one of them.

(ADSP could provide benefits when combined with something like certification or 
whitelisting - but in those cases you can skip the publication of ADSP records 
altogether, and apply the certification or whitelisting results directly, based 
on DKIM authentication).

And every bit of ISP or sender resources or mindshare that is consumed by ADSP 
is focus that's not expended on approaches that are likely to be more 
effective, both immediately and longer term. Something corresponding to 
extended validation SSL certificates, perhaps.

Cheers,
  Steve


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>