On May 26, 2010, at 5:00 PM, Steve Atkins wrote: > > On May 26, 2010, at 12:46 PM, Brett McDowell wrote: >>> >>> Paypal is claiming an operational benefit, but haven't actually >>> demonstrated that ADSP either provides that benefit, nor that >>> those benefits can't be provided in a significantly cheaper manner. >> >> I thought I had. Remember that business about 100 million phishing attacks >> being blocked (DKIM alone would not have delivered that... it was our policy >> assertion and the acceptance to act on that policy assertion that made this >> happen)? > > Should ADSP be deployed widely, and it were to be used by PayPal, then any of > the smarter phishers would not continue to send mail that would not be > delivered.
That's rational, but theoretical and not supported by what we are seeing. We are stopping phish every day in large quantities. Based on your logic, that would have stopped by now. But it hasn't. I could have a lengthy talk about why we believe it hasn't stopped, but I think that would be a tangent. > > They would continue to send phish email, of course, just not of a form that > would be blocked by ADSP. At best this would cause the badly done phishing > emails to be blocked while allowing the ones sent by smarter criminals to be > delivered. You are making too many assumptions. The biggest is probably that MUA's won't evolve to address the display name vs. author domain issue. > > Given that, it's not something that will provide any benefit once ADSP is > deployed - maybe just the opposite, as it will effectively neuter the > approach you're currently using. You may win the battle of preventing use of > the string "paypal.com" in the non-displayed part of the From: field, yet > lose the war of protecting your users from phishers. I know you guys are security experts and I'm in no position to lecture you on best practices, but seeing some of these arguments makes me think we need a quick reminder of the bigger picture... defense in depth. Removing an attack vector is a good thing. Then you remove the next one, etc. > >> What do I need to show you guys before you accept that I have demonstrated >> that ADSP provides operational benefit? > > You need to go beyond "We do this" to "We do this, and our opponents will > respond with that, Really?!... now you are talking theory not data. You are using the crystal ball. Sure, you can see real possibilities even now, but that's not data. That said, if it's within the scope of this WG to talk about the next layer of what we can/should do after we have shut-off the vector that DKIM+ADSP=discardable enables us to shut-off, we can start working on that too. I'd participate in that... but I'd lower the priority on that longer-term planning compared to the short-term of using and enhancing what we already have. > and we will respond with the other ...". At some point you keep some of those cards in your hand until you have to show them. We are talking about crime-fighting after all. > This isn't a protocol that's used solely between honest peers, it's something > that is solely for thwarting bad guys in a hostile environment. Granted, the consumer protection use case are what matter most to me, but there are several folks who care more about deliverability. So the assertion above is not true in the deliverability case. And how do use the ADSP protocol to thwart bad guys if not by a coalition of the willing among honest peers? Should we be dismissive of SSL just because it's only for thwarting bad guys? Where would eCommerce be today without SSL? > > There are clearly approaches that can be build on top of DKIM that would be > extremely effective in that environment. There's no data so far to suggest > that ADSP is one of them. Again, I'm feeling a bit ignored which is frustrating since it was you who asked me to provide the data that you now seem to be dismissing. > > (ADSP could provide benefits when combined with something like certification > or whitelisting - but in those cases you can skip the publication of ADSP > records altogether, and apply the certification or whitelisting results > directly, based on DKIM authentication). I thought this was the Internet ETF. So shouldn't we be concerned with solving these use cases using Internet technologies vs. closed, proprietary, silo-ed one-off solutions? But you are correct, if we fail, that's exactly what will happen. In fact, I think we are in a bit of a horse race at this point. So I'd love to see us stop debating the shape of the table and get back to write a BCP or a spec or something tangible and useful. > > And every bit of ISP or sender resources or mindshare that is consumed by > ADSP is focus that's not expended on approaches that are likely to be more > effective, both immediately and longer term. Something corresponding to > extended validation SSL certificates, perhaps. Any proposals? _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
