[Cryptography] phishing, was Encryption opinion

Jerry Leichter leichter at lrw.com
Wed Sep 10 12:08:54 EDT 2014 

On Sep 10, 2014, at 10:57 AM, John Levine <johnl at iecc.com> wrote:

>> Most email is exchanged by people who
>> already know each other - or who are introduced by mutual friends.  Most
>> people never need their email systems to solve the Introduction Problem.
> 
> Really?  I don't get a lot of non-spam mail from people with whom I've
> never corresponded, but the trickle I get is often of high value, from
> "are you the John Levine I knew in college?" to "are you available for
> this highly lucrative contract?"
...thus demonstrating that email in fact *does not* solve the Introduction Problem.  In the first case, mutual memories will solve it.  In the second, the email will usually lead to something else so that both sides can satisfy themselves as to the bona fides of their counter parties.  Though I must say every unsolicited email I've ever gotten offering a highly lucrative contract has been spam.  :-(

> One of the reason that SMTP mail wiped out all of its competitors is
> that it allows unintroduced mail.
I doubt it.  SMTP mail was cross-platform; in this case, all the various walled gardens were eventually seen to be too limiting.

People forget just how non-cross-platform early solutions were.  DEC has MAIL-11 (free, limited functionality, DEC only) and DECmail (a paid product oriented toward business use - but also DEC only).  IBM had something I no longer remember (based on BITNET?  They must have also had SNA-based mail.)

But you didn't have to be the size of a DEC or IBM to come up with a proprietary mail solution:  Apollo Computer, an early workstation producer, had its own non-SMTP mail protocol.  Neither DEC nor Apollo provided an SMTP gateway; third parties did that initially (and they both eventually were forced onto the bandwagon).

And don't forget UUCP-mail, which predated all of these, supported unintroduced mail, was widely implemented and used - but faded (though you could argue that it more or less evolved into SMTP).

BTW, both MAIL-11 and Apollo's mail supported unintroduced mail; I'm not sure about DECmail, but it probably did as well.  And MAIL-11 really *was* "Simple" - unlike SMTP; it *could* have been adapted to TCP with little trouble.  But no one cared, because "unintroduced mail" was barely a concept at the time, and wasn't a decision criterion.

>  It doesn't have to be extremely
> easy, but it does have to be possible.
No disagreement.  On the other hand, we've never come up with a good solution for the problem of finding someone's email address.  LDAP works (in my experience not very well) within single organizations.  In the broader Internet, if I knew of John Levine only through mentions of your name, the best I could do is to search around the Internet for mentions of your name, look at the pages, and hope to eventually come upon a page that seemed to refer to the right John Levine and also happened to have an email address for you.

This works because you're reasonably well known.  Within the broader techie community, email academics can usually (but not always) be found if you can figure out what school they are at.  (Sometimes you need to guess the department, too.)  For other techies, LinkIn serves as a de facto introducer.  Beyond that ... you're on your own.  And if you want something that has some degree of associated assurance - there's basically nothing.  (In fact, not only isn't there anything, we haven't even figured out what and appropriate "something" would be.)

                                                        -- Jerry


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140910/afb69251/attachment.bin>

More information about the cryptography mailing list