Charles Lindsey wrote:
On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>
As soon as banks start signing their messages and there are credible
whitelists for their domain names, doesn't this end the ability for
phishers to use those domain names in the rfc2822.From field?
I fail to see how "credible whilelists" are going to work. You cannot
expect all the millions of honest internet users to get into such
DKIM is about domain names, not users. This means "organizations" and not
"users". I do not see why we cannot expect organizations to get on whitelists.
whitelists. Rather, it seems that what is suggested is that there will
exists whitelists of "respectable banks".
There will probably be many different whitelists. Some will be for specific
categories of senders, and others will be broader. Note that the non-Internet
world already has lots of whitelists and we have learned how to deal with them.
(For example, Michelin for restaurants.) Some are better than others... We
develop a means of ranking them.
But how do you tell, automatically, that a message is from a "bank", and
therefore ought to be ignored if it is not whitelisted?
Please review John Levine's note of today.
But you still have the problem of educating users to expect such
texts/headers, and educating them to do that is just as hard as
educating them to recognise present-day phishes
Teaching users to recognize a symbol on the screen that means "safe" is not as
difficult as teaching them to recognize the various forms of deception used by
phishers. (Again, see John Levine's note.)
NOTE WELL: This list operates according to