ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Collection of use cases for SSP requirements

2006-11-09 12:13:11
from [Dave Crocker] [Permanent Link] 


Michael Thomas wrote:

Phishing doesn't have to use the real domain. There are *countless* ways of
phishing that don't require it. ...


This assumes that social problems have to be solved only in the technical
realm in order to be useful. I'm sure that John will snort his coffee through
his nose, but training users to only expect to hear from paypal from
paypal.com is most likely part of the solution.
Unfortunately, I was in fact drinking coffee when I read this. Even though my name is not John, there was indeed some risk of a nasal flush... happily just barely avoided.
However my own view is that it is entirely reasonable to include the possibility of user training in discussions about problems and solutions that directly involve users.
On the other hand, training users is known to be particularly difficult and to be plausible only when satisfying some rather severe constraints that ensure very high motivation, very simple mechanisms, very clear information, and a slew of additional "very"s.
Best of all is that the realm of human factors usability and training is entirely outside the skillset of an IETF working group, no matter the skills of any particular participant.
At a minimum, any proposal in the working group that entails multiple changes throughout the system -- such as including user training -- needs to specifify all of the components that need changing, what the changes need to be, and what the basis is for believing that the aggregate set of changes will have efficacy.
Oh, and it also needs to include a cost/benefit discussion, since anything entailing changing multiple components is certain to be expensive and likely to be risky. 

Your following paragraph raised exactly this concern:


Is this a whole solution? Of course not. We already know that no such silver
bullet exists. Can or should we lessen the degrees of freedom in which bad
guys can act? Sure seems like a reasonable idea to me. The only real question
in my mind is whether this particular piece of technology is really worth the
effort in the short/medium and long run. I think that reasonable people can
have reasonable differences of opinion on that. For the dissenters, so long
as there's not active harm what's the problem? Don't use it if you think it's
useless.


d/

--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] SSP is the Sender Signing Practices, not the Sender's accreditation, Dave Crocker
Next by Date:  Re: [ietf-dkim] SSP is the Sender Signing Practices, not the Sender's accreditation, Michael Thomas
Previous by Thread:  Re: [ietf-dkim] Collection of use cases for SSP requirements, Michael Thomas
Next by Thread:  Re: [ietf-dkim] Collection of use cases for SSP requirements, Michael Thomas
Indexes:  [Date] [Thread] [Top] [All Lists]