Michael Thomas wrote:
Phishing doesn't have to use the real domain. There are *countless* ways of
phishing that don't require it. ...
This assumes that social problems have to be solved only in the technical
realm in order to be useful. I'm sure that John will snort his coffee through
his nose, but training users to only expect to hear from paypal from
paypal.com is most likely part of the solution.
Unfortunately, I was in fact drinking coffee when I read this. Even though my
name is not John, there was indeed some risk of a nasal flush... happily just
barely avoided.
However my own view is that it is entirely reasonable to include the possibility
of user training in discussions about problems and solutions that directly
involve users.
On the other hand, training users is known to be particularly difficult and to
be plausible only when satisfying some rather severe constraints that ensure
very high motivation, very simple mechanisms, very clear information, and a slew
of additional "very"s.
Best of all is that the realm of human factors usability and training is
entirely outside the skillset of an IETF working group, no matter the skills of
any particular participant.
At a minimum, any proposal in the working group that entails multiple changes
throughout the system -- such as including user training -- needs to specifify
all of the components that need changing, what the changes need to be, and what
the basis is for believing that the aggregate set of changes will have efficacy.
Oh, and it also needs to include a cost/benefit discussion, since anything
entailing changing multiple components is certain to be expensive and likely to
be risky.
Your following paragraph raised exactly this concern:
Is this a whole solution? Of course not. We already know that no such silver
bullet exists. Can or should we lessen the degrees of freedom in which bad
guys can act? Sure seems like a reasonable idea to me. The only real question
in my mind is whether this particular piece of technology is really worth the
effort in the short/medium and long run. I think that reasonable people can
have reasonable differences of opinion on that. For the dissenters, so long
as there's not active harm what's the problem? Don't use it if you think it's
useless.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html