ietf-mailsig
[Top] [All Lists]

RE: Good enough?

2005-01-06 08:15:13

[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Sam 
Hartman
    Hallam-Baker,> For better or worse the email authentication means
    Hallam-Baker,> of solving the spam problem is owned by
    Hallam-Baker,> SPF/Sender-ID framework for the next couple of
    Hallam-Baker,> years. 

I'm not at all convinced that is true.  Moreover I'm 
convinced that a MASS-style solution can do a better job of 
providing usability to end users than SPF.

Lets look at the basic strategy of how to build critical mass for an
application. In most cases this takes years, to have an effect on Internet
crime a specification has to build very quickly. To do this it needs a
'killer application', an application that is a critical pain point for a
significant early adopter community.

For better or worse the AMEY group adopted the SPF approach in principle
eighteen months ago. MARID should have been a slam dunk to write the spec
that AMEY was already committed to deploy.

Putting the AMEY group together &tc took over a year, the cryptographic
approach was considered but could not be delivered soon enough for their
purposes.

Repurposing the AMEY coalition is not viable at this time. However it is
entirely practical to put together a coalition of leading international
banks who are affected by the phishing problem and have an immeditate need
to be seen to do something. This is in progress and will provide the killer
app for ESTG on the signer side. On the verification side Yahoo is already
on board, as is Google, nobody is outright opposed and in any case there is
board level pressure that can be brought to bear.

A killer application is not necessarily the application that is ultimately
the most widely used. The killer application for the PC was spreadsheets.
The spreadsheet is no longer the biggest PC application, it is probably not
in the top ten, Word processing, Web sufing, Email, Games, Powerpoint, Media
Player &ct. are all much bigger. But the spreadsheet developed the
infrastructure.

That is why I am saying that the phishing application is key for deployment.
It may well be that in four years time anti-spam is the dominant use made of
ESTG, but in the short term the phishing pain point is the one to ride for
deployment.


                Phill


<Prev in Thread] Current Thread [Next in Thread>