AOTA - Authentication and Online Trust summit
Today I am in Boston attendig the AOTA conference/summit. Basically it is a collection of security and antispam vendors along with a number of big ISPs and big email senders. The main thrust has to do with combating PHISH emails which attempt to defraud consumers by tricking them into visiting websites and giving up personal information like their login or SS#. Since most of the “spam” I get these days is indeed eBay, Paypal, Bank of America, and Citibank scams, I fully understand why this is the big problem today.
I have a number of take-away impressions from the conference, but I think the biggest one is that for the first time, I am finally seeing a maturation of AUTHENTICATION technologies for email. The big two are DKIM and SIDF. A terrific accomplishment is that both of these technologies are seeing fairly widespread adoption by both senders and receivers of email. As more organizations/domains adopt these technologies, it will become easier to tell who the responsible party is for the email that you are reading. And if that email is spam, who to hold responsible.
But AUTHENTICATION is only half of the issue. Even if I know that “you are who you claim you are”, I still don’t know if you are a “good guy”. A good example is looking at someone’s drivers license (an analogy used during one presentation). I might know that your name is John Smith (after comparing your picture to you, etc) but I don’t necessarily know if you are a good driver. Good driving is established after a period of time during which the driver exhibits good driving behavior.
So the next step in the email world is combining AUTHENTICATION with REPUTATION. And the biggest surprise for me after being somewhat out of the industry for 2-3 years, is that REPUTATION systems have arrived and are viable. Companies including Return-Path, Habeas, Goodmail, and others have evolved considerably and can provide real data to both senders and receivers of email. In addition, some of these providers along with major ISPs are receiving data as well as sharing their reputation data across other providers in exchange for receiving valuable reputation data in return. And the number of “feedback loops” (I should have patented/copyrighted that term, damn!) has grown dramatically and are now available from upwards of a dozen ISPs instead of just AOL and beta testing from Yahoo and Hotmail.
Its great to see an industry coming together and building the necessary tools and standards to make real progress in solving real problems. Very cool :-)
2 Comments so far
Leave a reply
Hey, I thought you had moved out of the security / anti-spam business. Are you still doing some consulting related to that stuff?
The other day I was doing a little Googling to learn about authentication for RSS feeds. One of the first hits I encountered was a blog entry you wrote a few months ago.
Too funny. I guess that’s a good thing for my blog. But I find it weird that this one entry would show up for RSS Authentication as a topic. Guess it is a rather “new” topic!