ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion

2010-05-27 14:33:07
On May 27, 2010, at 10:05 AM, Barry Leiba wrote:

do you believe John, who never believed in ADSP and has repeatedly said
that he hope it fails, and who has a microscopic amount of deployment
experience if any at all. Or do we believe Brett/paypal that ADSP is
providing benefit *today* in the form of 100's of millions of thwarted
phishes, and that ADSP is the only way he can get things to scale
beyond handshakes in the Valley.

Indeed.  Only, I think it's a little more complicated than that.

PayPal has good experience with independent arrangements that behave
like ADSP, and they expect it to translate to good and broader
experience with ADSP.

More than expecting to, we are actively working on deployments with parties 
interested in "opting-in" to this open, standards-based, authenticated email 
ecosystem.  Unfortunately for the sake of this debate, I cannot disclose who 
just yet.

 On the other hand, they have some bad
experience with ADSP, which they expect to meliorate with a change
that Brett hasn't described yet.

Ya but... we have a handful of emails that have gone into spam filters (and due 
to the natural dynamics of MLM's those have probably *all* been recovered with 
no net communication loss at the end of the day) vs. thwarting over 100 million 
attacks.  So yes, there are things we can do to remove what little down-side 
we've seen, the status quo is pretty much all up-side from our perspective when 
put into context.  

There isn't even a whisper of abandoning ADSP within PayPal.  Our only thought 
is on accelerating more and more deployments across the Internet.  I'm in this 
WG to help make the overall architecture (through BCP's, spec enhancements, new 
spec's, etc.) just that much easier to deploy with clearer and more reliable 
expectations for stakeholders who participate.  

I hope others are here for the same reason.

On the other hand, John and Steve expect that the benefits PayPal is
seeing in thwarted phishing messages will be short-lived, as phishers
just change domain names, and send out just as many messages as
before, fooling just as many recipients into thinking they're from
PayPal.

I understand that argument, but even if that were happening (and it isn't 
happen to us) we would have removed an attack vector.  That's *always* worth 
doing.  Defense in depth.  No one is looking for a silver bullet.

BTW, some of the theoretical arguments for how criminals can game ADSP neglect 
to consider other elements of the infrastructure might also evolve to be more 
full participants in the authenticated email ecosystem, e.g. MUA's that change 
the way they currently work to make these consumer protection applications more 
robust.


We will certainly need data collected over time to determine whether
there's any long-term reduction in unblocked phishing messages as a
result of ADSP.  I'm eager to get that data.  We'll also need some
analysis of whether (and why) PayPal sees some real value in ensuring
that successful "PayPal" phishing messages do not actually have
"paypal.com" in the "from" field.  I'm eager to see that, too.

I'm working on publishing more of our experience, not to mention working in 
organizations like BITS, MAAWG, OTA, etc. in an effort to get more data from 
across the Internet put into play.

ADSP hasn't been around very long folks... I think we are moving pretty fast 
actually.  It's just not reasonable to expect many ADSP deployments right now, 
let alone ADSP=discardable.


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>