--On Friday, 17 August, 2007 15:50 +0200 Iljitsch van Beijnum
<iljitsch@xxxxxxxxx> wrote:
>...
> Then again, misspelled fishing would be an order of magnitude
> harder if banks and retailers started using S/MIME, which is
> widely implemented today, but they can't be bothered, so it
> looks like protocol design isn't going to save the world any
> time soon.
This is, IMO, an important point. It seems to be easy
(relatively) to get large public providers of nearly-free email
to try new, and fairly weak, ideas like SPF or DKIM.
Individuals with small mail domains struggle along, resisting
being forced to either give up and join up with those large
providers and ideas that would inevitably make email costly to
them on a per-message basis. But the key institutions that get
spoofed don't, in practice, seem to care. S/MIME would work,
PGP would work, and so would any other reasonable method to
validate message source and integrity that depends on the
message and not the transport. If the primary concern is
communications between a financial institution with which the
user already has an account (or equivalent relationship) and
that user, we don't even have the usual PKI problems: one can
deliver a sender key or cert out of band, validate it, and be
finished.
Not only will those institutions not bother with S/MIME or PGP,
but many of them won't support subaddresses (many reject
addresses containing "+", "/", or "=" as invalid, some even
reject "-"). But, while it gets no where near real
authentication, the ability to write a pair of rules that say
* if the message comes to "john+bbnk@xxxxxxxxxxx", and
isn't from an address in the "bigbank.com" domain, it is
trash and can be discarded, and
* if the message appears to come from the "bigbank.com"
and isn't addressed to john+bbnk@xxxxxxxxxxx", then it
is trash and can be discarded.
turns out to be a powerful tool that is not easily defeated and
that does not require multiple handshakes between recipient and
putative sender. But, if the financial institutions won't
support it and insist that email local parts consist only of
ASCII letters and digits, then its usefulness is limited.
That should, I think, make some predictions about the deployment
and effectiveness of anything really new and effective. As with
certain types of credit card fraud, it appears to be cheaper for
the financial institutions to build the costs into their fee
structure and then just eat the losses, rather than making
significant investments in better systems or more inconveniences
that might drive customers away.
It is possible to infer from this that there just isn't enough
spam and phishing out there yet to be considered a problem --a
problem that needs to be solved, rather than one about which one
needs to make public statements and pass laws that are either
meaningless or not enforced-- by those who make and enforce laws
and policies.
john
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf