John Levine wrote:
But how do you tell, automatically, that a message is from a "bank",
and therefore ought to be ignored if it is not whitelisted?
Your computer doesn't tell automatically, you tell by looking at it.
This is a task that humans do much better than computers do. As I
said:
On the other hand, if we encourage whitelists of real banks, the
user's model is like this:
1) Incoming message appears to be from a bank.
2) Does the MUA show the golden dollar sign that means it's from a
real bank?
3) Done.
The above is intuitively reasonable. Simple procedure. Very solid logic basis
for asserting trust. Very solid method of signaling to the user.
The only question is whether it would work.
There is some indication that it won't. (I know of a vendor who tried the
approach you describe and their research caused them to fall back to something
much simpler.)
Average users -- ie, possibly none of us reading this note, but possibly all of
us, too, and certainly me -- are astonishingly good at getting confused among
the different signals placed on a screen. (And elsewhere in real life, but
let's stay within our own area of concern.)
I don't have the/an answer, but I do not know the procedure you describe is only
capable of working
a) when considered in the context of the many *different* signals an average
user will get, as your model is expanded to include other trust certifiers
(doctors, accountants, lawyers, city government, charities, credit agencies,
...), and
b) when validated empirically within an environment having such a mix.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html