Dave Crocker wrote:
Michael Thomas wrote:
Phishing doesn't have to use the real domain. There are *countless*
ways of
phishing that don't require it. ...
This assumes that social problems have to be solved only in the
technical
realm in order to be useful. I'm sure that John will snort his coffee
through
his nose, but training users to only expect to hear from paypal from
paypal.com is most likely part of the solution.
However my own view is that it is entirely reasonable to include the
possibility of user training in discussions about problems and
solutions that directly involve users.
On the other hand, training users is known to be particularly
difficult and to be plausible only when satisfying some rather severe
constraints that ensure very high motivation, very simple mechanisms,
very clear information, and a slew of additional "very"s.
Best of all is that the realm of human factors usability and training
is entirely outside the skillset of an IETF working group, no matter
the skills of any particular participant.
Good thing that none of this is predicated on that being the _only_ reason.
Or that there need be an _only_ reason.
At a minimum, any proposal in the working group that entails multiple
changes throughout the system -- such as including user training --
needs to specifify all of the components that need changing, what the
changes need to be, and what the basis is for believing that the
aggregate set of changes will have efficacy.
Good thing that nobody's proposing that then because it sounds hard.
Something
that might as a side benefit help that along seems worth considering as
a plus. Just like
we hope that a side benefit of DKIM will be to enable better reputation,
etc.
Oh, and it also needs to include a cost/benefit discussion, since
anything entailing changing multiple components is certain to be
expensive and likely to be risky.
I don't know what "it" is here because it doesn't seem to have anything
to do
with what I was talking about.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html