Dave Crocker wrote:
Wietse Venema wrote:
Here is an example why first-party signatures can be dangerous.
Right.
They key point, to me, is that a signature by the rfc2822.From domain
is likely to help control against some existing types of phishing, but
it clearly will not help against others.
Worse, we have no empirical data about what is or is not effective, in
helping end-users to detect phishing. So, to the extent that
end-users figure into anyone's expectations about DKIM's benefits
against phishing, we are flying quite blind.
Therefore, to the extent that anyone touts a DKIM-based mechanism as
defeating phishing, we run the risk of undermining all of DKIM's
credibility, by setting expectations far too high.
This is where Dave Oran's Preparation H disclaimer comes into effect:
Preparation
H doesn't cure, it helps. On the other hand, saying that SSP vs.
first-party signatures
being "dangerous" vastly overstates the risks -- just because something
doesn't provide
a complete solution means that it's as dangerous as however you're
misusing it.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html