Michael Thomas wrote:
Therefore, to the extent that anyone touts a DKIM-based mechanism
as defeating phishing, we run the risk of undermining all of DKIM's
credibility, by setting expectations far too high.
This is where Dave Oran's Preparation H disclaimer comes into effect:
Preparation H doesn't cure, it helps. On the other hand, saying that
SSP vs. first-party signatures being "dangerous" vastly overstates
the risks -- just because something doesn't provide a complete
solution means that it's as dangerous as however you're misusing it.
Lest anyone read Michaels note as countering my concern, I'll stress
that it doesn't.
My comment was not that it is bad to have partial solutions, but that it
is bad to set expectations inappropriately and that the discussion on
this list suggests that we are at serious risk of promoting DKIM as an
anti-phishing "solution" inappropriately.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html