Any ideas on what is the percentage of users that do not have
S/MIME? If
MSFT, Mozilla, etc. and the other MUAs cover a virtual
majority of the
market, and would cover a majority of users affected by the phishing
attacks, why aren't the banks deploying it? It would be
easier to tinker
with the edges of the network, rather than the center.
Pretty close to 80% of users have S/MIME today, the main gap at the
moment is actually hosted email and that will close very quickly
regardless of the spam issue. Call it 95%.
The problem is the 5% remainder which tends to be network ops running
PINE, MUTT and Eudora.
There is a private working group looking at this. Yahoo!
Domain keys looks
like a better fit for what it is intended to achieve.
Wouldn't a profile of S/MIME that stores keys in DNS achieve
essentially
the same thing?
Not quite, there is a major semantic shift taking place here,
it is the domain owner rather than the email sender being
authenticated. and actually the authentication may be for the
sole purpose of getting an accreditation.
I might send you a mail from turtlerecall.com through comcast.net
and comcast.net sees it comes from a legit user who is not sending
excessive quantities of email and sign it under their domain and
policy and get the benefit of an accreditation that VeriSign
provides.
Otherwise you need an accreditation for every single domain, not
a cheap solution.
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Power tends to corrupt, and absolute power corrupts
absolutely" (Lord
Acton)
All power corrupts
Absolute power is absolutely wonderful - (Oscar Wilde?)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg