On May 26, 2010, at 5:00 PM, Steve Atkins wrote:
On May 26, 2010, at 12:46 PM, Brett McDowell wrote:
Paypal is claiming an operational benefit, but haven't actually
demonstrated that ADSP either provides that benefit, nor that
those benefits can't be provided in a significantly cheaper manner.
I thought I had. Remember that business about 100 million phishing attacks
being blocked (DKIM alone would not have delivered that... it was our policy
assertion and the acceptance to act on that policy assertion that made this
happen)?
Should ADSP be deployed widely, and it were to be used by PayPal, then any of
the smarter phishers would not continue to send mail that would not be
delivered.
That's rational, but theoretical and not supported by what we are seeing. We
are stopping phish every day in large quantities. Based on your logic, that
would have stopped by now. But it hasn't. I could have a lengthy talk about
why we believe it hasn't stopped, but I think that would be a tangent.
They would continue to send phish email, of course, just not of a form that
would be blocked by ADSP. At best this would cause the badly done phishing
emails to be blocked while allowing the ones sent by smarter criminals to be
delivered.
You are making too many assumptions. The biggest is probably that MUA's won't
evolve to address the display name vs. author domain issue.
Given that, it's not something that will provide any benefit once ADSP is
deployed - maybe just the opposite, as it will effectively neuter the
approach you're currently using. You may win the battle of preventing use of
the string "paypal.com" in the non-displayed part of the From: field, yet
lose the war of protecting your users from phishers.
I know you guys are security experts and I'm in no position to lecture you on
best practices, but seeing some of these arguments makes me think we need a
quick reminder of the bigger picture... defense in depth. Removing an attack
vector is a good thing. Then you remove the next one, etc.
What do I need to show you guys before you accept that I have demonstrated
that ADSP provides operational benefit?
You need to go beyond "We do this" to "We do this, and our opponents will
respond with that,
Really?!... now you are talking theory not data. You are using the crystal
ball.
Sure, you can see real possibilities even now, but that's not data. That said,
if it's within the scope of this WG to talk about the next layer of what we
can/should do after we have shut-off the vector that DKIM+ADSP=discardable
enables us to shut-off, we can start working on that too. I'd participate in
that... but I'd lower the priority on that longer-term planning compared to the
short-term of using and enhancing what we already have.
and we will respond with the other ...".
At some point you keep some of those cards in your hand until you have to show
them. We are talking about crime-fighting after all.
This isn't a protocol that's used solely between honest peers, it's something
that is solely for thwarting bad guys in a hostile environment.
Granted, the consumer protection use case are what matter most to me, but there
are several folks who care more about deliverability. So the assertion above
is not true in the deliverability case.
And how do use the ADSP protocol to thwart bad guys if not by a coalition of
the willing among honest peers?
Should we be dismissive of SSL just because it's only for thwarting bad guys?
Where would eCommerce be today without SSL?
There are clearly approaches that can be build on top of DKIM that would be
extremely effective in that environment. There's no data so far to suggest
that ADSP is one of them.
Again, I'm feeling a bit ignored which is frustrating since it was you who
asked me to provide the data that you now seem to be dismissing.
(ADSP could provide benefits when combined with something like certification
or whitelisting - but in those cases you can skip the publication of ADSP
records altogether, and apply the certification or whitelisting results
directly, based on DKIM authentication).
I thought this was the Internet ETF. So shouldn't we be concerned with solving
these use cases using Internet technologies vs. closed, proprietary, silo-ed
one-off solutions? But you are correct, if we fail, that's exactly what will
happen. In fact, I think we are in a bit of a horse race at this point. So
I'd love to see us stop debating the shape of the table and get back to write a
BCP or a spec or something tangible and useful.
And every bit of ISP or sender resources or mindshare that is consumed by
ADSP is focus that's not expended on approaches that are likely to be more
effective, both immediately and longer term. Something corresponding to
extended validation SSL certificates, perhaps.
Any proposals?
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html