On Saturday 09 September 2006 12:07, Dave Crocker wrote:
Wietse Venema wrote:
Here is an example why first-party signatures can be dangerous.
Right.
They key point, to me, is that a signature by the rfc2822.From domain is
likely to help control against some existing types of phishing, but it
clearly will not help against others.
I don't think anyone would disagree with this.
Worse, we have no empirical data about what is or is not effective, in
helping end-users to detect phishing. So, to the extent that end-users
figure into anyone's expectations about DKIM's benefits against
phishing, we are flying quite blind.
The best way to help end-users avoid getting phished it to not accept phishing
messages for delivery. DKIM-SSP where strict policy statements are published
offer a mechanism for this. From my perspective, the utility of DKIM as it
relates to end-users is, I agree, quite uncertain.
Therefore, to the extent that anyone touts a DKIM-based mechanism as
defeating phishing, we run the risk of undermining all of DKIM's
credibility, by setting expectations far too high.
Agreed. Is anyone doing this?
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html