On May 27, 2010, at 10:05 AM, Barry Leiba wrote:
do you believe John, who never believed in ADSP and has repeatedly said
that he hope it fails, and who has a microscopic amount of deployment
experience if any at all. Or do we believe Brett/paypal that ADSP is
providing benefit *today* in the form of 100's of millions of thwarted
phishes, and that ADSP is the only way he can get things to scale
beyond handshakes in the Valley.
Indeed. Only, I think it's a little more complicated than that.
PayPal has good experience with independent arrangements that behave
like ADSP, and they expect it to translate to good and broader
experience with ADSP.
More than expecting to, we are actively working on deployments with parties
interested in "opting-in" to this open, standards-based, authenticated email
ecosystem. Unfortunately for the sake of this debate, I cannot disclose who
just yet.
On the other hand, they have some bad
experience with ADSP, which they expect to meliorate with a change
that Brett hasn't described yet.
Ya but... we have a handful of emails that have gone into spam filters (and due
to the natural dynamics of MLM's those have probably *all* been recovered with
no net communication loss at the end of the day) vs. thwarting over 100 million
attacks. So yes, there are things we can do to remove what little down-side
we've seen, the status quo is pretty much all up-side from our perspective when
put into context.
There isn't even a whisper of abandoning ADSP within PayPal. Our only thought
is on accelerating more and more deployments across the Internet. I'm in this
WG to help make the overall architecture (through BCP's, spec enhancements, new
spec's, etc.) just that much easier to deploy with clearer and more reliable
expectations for stakeholders who participate.
I hope others are here for the same reason.
On the other hand, John and Steve expect that the benefits PayPal is
seeing in thwarted phishing messages will be short-lived, as phishers
just change domain names, and send out just as many messages as
before, fooling just as many recipients into thinking they're from
PayPal.
I understand that argument, but even if that were happening (and it isn't
happen to us) we would have removed an attack vector. That's *always* worth
doing. Defense in depth. No one is looking for a silver bullet.
BTW, some of the theoretical arguments for how criminals can game ADSP neglect
to consider other elements of the infrastructure might also evolve to be more
full participants in the authenticated email ecosystem, e.g. MUA's that change
the way they currently work to make these consumer protection applications more
robust.
We will certainly need data collected over time to determine whether
there's any long-term reduction in unblocked phishing messages as a
result of ADSP. I'm eager to get that data. We'll also need some
analysis of whether (and why) PayPal sees some real value in ensuring
that successful "PayPal" phishing messages do not actually have
"paypal.com" in the "from" field. I'm eager to see that, too.
I'm working on publishing more of our experience, not to mention working in
organizations like BITS, MAAWG, OTA, etc. in an effort to get more data from
across the Internet put into play.
ADSP hasn't been around very long folks... I think we are moving pretty fast
actually. It's just not reasonable to expect many ADSP deployments right now,
let alone ADSP=discardable.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html