Scott Kitterman:
On Saturday 09 September 2006 12:07, Dave Crocker wrote:
Wietse Venema wrote:
Here is an example why first-party signatures can be dangerous.
...
The best way to help end-users avoid getting phished it to not accept phishing
messages for delivery. DKIM-SSP where strict policy statements are published
offer a mechanism for this. From my perspective, the utility of DKIM as it
relates to end-users is, I agree, quite uncertain.
This is exactly the trap that I was describing in the mail cited above.
Blindly believing DKIM-SSP gives a false sense of security, and
provides criminals with even more convincing ways to rob people.
I really recommend that you read my entire email message.
Therefore, to the extent that anyone touts a DKIM-based mechanism as
defeating phishing, we run the risk of undermining all of DKIM's
credibility, by setting expectations far too high.
Agreed. Is anyone doing this?
See my point above. We're already raising expectations too high,
by claiming that DKIM-SSP will block phishing mail. It will only
make phishing mail look more authentic.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html