[Top] [All Lists]

Re: [ietf-dkim] Collection of use cases for SSP requirements

2006-11-10 08:53:41

Charles Lindsey wrote:
On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> 

As soon as banks start signing their messages and there are credible whitelists for their domain names, doesn't this end the ability for phishers to use those domain names in the rfc2822.From field?

I fail to see how "credible whilelists" are going to work. You cannot expect all the millions of honest internet users to get into such

DKIM is about domain names, not users. This means "organizations" and not "users". I do not see why we cannot expect organizations to get on whitelists.

whitelists. Rather, it seems that what is suggested is that there will exists whitelists of "respectable banks".

There will probably be many different whitelists. Some will be for specific categories of senders, and others will be broader. Note that the non-Internet world already has lots of whitelists and we have learned how to deal with them. (For example, Michelin for restaurants.) Some are better than others... We develop a means of ranking them.

But how do you tell, automatically, that a message is from a "bank", and therefore ought to be ignored if it is not whitelisted?

Please review John Levine's note of today.

But you still have the problem of educating users to expect such texts/headers, and educating them to do that is just as hard as educating them to recognise present-day phishes

Teaching users to recognize a symbol on the screen that means "safe" is not as difficult as teaching them to recognize the various forms of deception used by phishers. (Again, see John Levine's note.)


  Dave Crocker
  Brandenburg InternetWorking
NOTE WELL: This list operates according to

<Prev in Thread] Current Thread [Next in Thread>