On May 27, 2010, at 10:05 AM, Barry Leiba wrote: >> do you believe John, who never believed in ADSP and has repeatedly said >> that he hope it fails, and who has a microscopic amount of deployment >> experience if any at all. Or do we believe Brett/paypal that ADSP is >> providing benefit *today* in the form of 100's of millions of thwarted >> phishes, and that ADSP is the only way he can get things to scale >> beyond handshakes in the Valley. > > Indeed. Only, I think it's a little more complicated than that. > > PayPal has good experience with independent arrangements that behave > like ADSP, and they expect it to translate to good and broader > experience with ADSP.
More than expecting to, we are actively working on deployments with parties interested in "opting-in" to this open, standards-based, authenticated email ecosystem. Unfortunately for the sake of this debate, I cannot disclose who just yet. > On the other hand, they have some bad > experience with ADSP, which they expect to meliorate with a change > that Brett hasn't described yet. > Ya but... we have a handful of emails that have gone into spam filters (and due to the natural dynamics of MLM's those have probably *all* been recovered with no net communication loss at the end of the day) vs. thwarting over 100 million attacks. So yes, there are things we can do to remove what little down-side we've seen, the status quo is pretty much all up-side from our perspective when put into context. There isn't even a whisper of abandoning ADSP within PayPal. Our only thought is on accelerating more and more deployments across the Internet. I'm in this WG to help make the overall architecture (through BCP's, spec enhancements, new spec's, etc.) just that much easier to deploy with clearer and more reliable expectations for stakeholders who participate. I hope others are here for the same reason. > On the other hand, John and Steve expect that the benefits PayPal is > seeing in thwarted phishing messages will be short-lived, as phishers > just change domain names, and send out just as many messages as > before, fooling just as many recipients into thinking they're from > PayPal. I understand that argument, but even if that were happening (and it isn't happen to us) we would have removed an attack vector. That's *always* worth doing. Defense in depth. No one is looking for a silver bullet. BTW, some of the theoretical arguments for how criminals can game ADSP neglect to consider other elements of the infrastructure might also evolve to be more full participants in the authenticated email ecosystem, e.g. MUA's that change the way they currently work to make these consumer protection applications more robust. > > We will certainly need data collected over time to determine whether > there's any long-term reduction in unblocked phishing messages as a > result of ADSP. I'm eager to get that data. We'll also need some > analysis of whether (and why) PayPal sees some real value in ensuring > that successful "PayPal" phishing messages do not actually have > "paypal.com" in the "from" field. I'm eager to see that, too. I'm working on publishing more of our experience, not to mention working in organizations like BITS, MAAWG, OTA, etc. in an effort to get more data from across the Internet put into play. ADSP hasn't been around very long folks... I think we are moving pretty fast actually. It's just not reasonable to expect many ADSP deployments right now, let alone ADSP=discardable. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html