ietf-mailsig
[Top] [All Lists]

Re: Web pages for MASS effort

2005-01-10 08:44:24

In 
<C6DDA43B91BFDA49AA2F1E473732113E010BEEFF(_at_)mou1wnexm05(_dot_)vcorp(_dot_)ad(_dot_)vrsn(_dot_)com>
 "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> writes:

The feedback I got from the FTC workshop was that a lot of people were very
annoyed that the technical side had not got its act together behind one
proposal. The lack of apparent concern about email security has a lot of
people very disappointed.

In my humble opinion, the problem is not that the "technical side"
hasn't been working hard to solve the phishing/spam problem, but that
there are no perfect solutions.  Actually, I think it could be easily
argued that there aren't even any *good* solutions.

All the proposals that I know of have serious problems.  SPF breaks on
forwarding and doesn't protect the From: header.  All the crypto
solutions, except SES, break on mailing lists.  SES requires some sort
of call back (via SMTP or via a DNS lookup).  SenderID breaks on
forwardering and too many mailing lists, and also doesn't protect the
From: header.  CSV is almost all talk and no action, requires the
abuse of SRV records in very user unfriendly ways, and protects
something that most people don't seem to care much about.


I haven't heard of a really new idea in the anti-spam/phishing area
for a very long time.  There have been a lot of smart people looking
at these problems since the early 90's, and I think that if there was
a good, clean solution to it, we would have seen it deployed last
century.


An analogy of what we are seeing is a transition from everyone having
no locks on anything, to putting locks on stuff.  As a result, we hear
a lot of folks saying things like: "It will cost too much for everyone
to put locks on all the doors."  "What if I lock myself out?"  "This
key is too heavy."  "I don't want to have to carry around 3 keys!"
"But I *like* being able to go into my neighbor's house to borrow a
cup of sugar when they aren't home!"  "Locks are useless because you
can just break down the door!"  "We should stop spending time putting
locks on houses until we have finished putting locks on banks."  And,
of course, the ever popular "My lock is better than your lock!"

In the mean time, we have almost everyone screeming "WE HAVE TO DO
SOMETHING ABOUT THE CRIME WAVE!!!!"


Well, that was a fun rant.  I'm going to go back to working on SPF
stuff now, not because I think it is a perfect solution, or the only
solution, or a solution that is cost free, but because I think it is
useful in many situations.


-wayne


<Prev in Thread] Current Thread [Next in Thread>