Plenty who understand DIDs have already commented on the tech issues with this solution, I wanted to explain the business and market reasons this is DOA.
First of all, what problem are they trying to solve?
Email security is the first usecase they’re rolling out. Specifically addressing spoofing which is a real problem for Enterprises. Other usecases are mentioned for futures but clearly MSTR and Saylor believe - as he’s said many times - that verifiable identities will solve this business problem.
So what is spoofing? A form of social engineering which attempts to deceive a message recipient (typically email but increasingly Slack/Teams/Zoom are targeted) that a message was sent from a known or trusted source; usually by manipulating email headers or using lookalike domains.
Typically it is used by scammers for simple frauds by instructing people to act. Either by directing them to send money or gift cards, change banking details, or to get additional information they can use for downstream attacks.
MicroStrategy Orange seeks to help Enterprise avoid spoofing by authenticating a signature for a User’s email which is anchored to the Bitcoin blockchain.
As they reference in the keynote - signatures for email are not new. SMIME has been around forever and it isn’t widely used because it introduces its own set of complexities.
What enterprises ++have++ done for years is rely on Secure Email Gateways (SEGs) to reduce the volume of malicious emails reaching Users. This is a software layer inserted in the mail flow which inspects email for things like malware or malicious URLs by checking them against known bad.
This worked well enough for a long time and multibillion dollar companies such as ProofPoint and Mimecast were built around it. The method is not foolproof, *but their success is why scammers had to adapt and start using more social engineering attacks* because these are less likely to be picked up by a SEG which tends to look for malware hashes, low reputation domains etc.
Next Generation email security is already here and being adopted by Enterprises.
Abnormal Security is the leader in this new category. They intercept traffic and feed it into a cloud “AI engine” which analyses hundreds of data points per email - like Crowdstrike for email. It builds a baseline of what “*normal*” email behaviour looks like for each User in an Enterprise and then use these signals to look for abnormalities.
This starts with things like the IP address of the sender (*ie they always send from an office and now suddenly are sending from Russia*), and relationships (*ie the CEO who supposedly sent this has never emailed this lowly employee in Accounts Payable*), but goes much deeper.
They use language analysis to parse emails for things like urgency, calls to action, financial requests, as well as if the email matches the writing style of the person being spoofed (“*please do the needful*” won’t fly in 2024).
This is very powerful because it’s not reliant on a static list of known bad which the vendors need maintain, but rather is analysing signals in real time to pickup these modern threats where SEGs are weak and because it’s done in Abnormal’s cloud, they can cross-pollinate for their expanding customer base which constantly improves the tech for all.
If the email doesn’t meet a threshold score it simply won’t be delivered to the end user, the same as a SEG blocks emails with malicious attachments. **++This is what Security teams actually want++**, as it reduces the reliance on the weakest link - the End User - acting correctly (ie verifying an Orange signature) and simply takes the bad email out of their flow altogether.
Abnormal have taken the lead in this space with ProofPoint and Mimecast playing catchup, and others will likely emerge. But these are the tools that large Enterprises **are already adopting** to address this challenge.
No Cybersecurity professional is going to look at this Orange Check solution and see it as useful.
Their first point will be that which nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z pointed out - bad actors will be able to get their own DID so relying on them is futile.
Secondly, unless they are ubiquitous to the point company’s would refuse non-DID signed email, then they have to leave non-Orange Checked emails to User discretion which is exactly what they don’t want to do.
Finally if this approach was going to be feasible, Microsoft (MSTR’s biggest competitor) would have already made it work - they dominate enterprise email and would have baked this in to their offering - they’re not going to allow a competitor to come in and monetise a product in that space, that’s simply not how big business works.
**So what is the one chance that MicroStrategy has for this to be successful?**
They will need to get the US Government onboard as a large customer and lobby to have Cybersecurity compliance frameworks require it - ie Gov entities won’t accept incoming mail without it.
Compliance tends to create its own industry; in consulting, certification, and technology solutions.
The only way this gets broad adoption is if some US Government Institution sees an ability to price out Bitcoin transactions by pushing this non-monetary usecase and forcing others to join in by mandating DIDs, and Big 4 consultancies see an ability to create an industry around it.
I don’t know how they could justify that. Certainly for email they couldn’t, possibly for codesigning or internet access or something I guess they could try as part of “secure digital supply chains”.
So if these Orange Checks somehow do gain traction you can be certain, ++100% certain++, it’s not because the free market thought they were a good solution and actually solve a problem but rather because powerful entities want to kneecap Bitcoin.
Of all the things Michael Saylor could do with 1% of the only absolutely scarce asset in the world, deciding to go this route for his company’s first project on Bitcoin is incredibly strange.
It’s as if he hasn’t actually spoken to any customers about how they’re doing email security today and instead just rolled with an idea that sounded good on paper but is in practice, useless.
I’m doubtful it will go anywhere and will be *far more* sceptical if it actually does.