Dave Crocker wrote:
John Levine wrote:
But how do you tell, automatically, that a message is from a
"bank", and therefore ought to be ignored if it is not whitelisted?
Your computer doesn't tell automatically, you tell by looking at it.
This is a task that humans do much better than computers do. As I
said:
On the other hand, if we encourage whitelists of real banks, the
user's model is like this:
1) Incoming message appears to be from a bank.
2) Does the MUA show the golden dollar sign that means it's from a
real bank?
3) Done.
The above is intuitively reasonable. Simple procedure. Very solid
logic basis for asserting trust. Very solid method of signaling to
the user.
The only question is whether it would work.
There is some indication that it won't. (I know of a vendor who tried
the approach you describe and their research caused them to fall back
to something much simpler.)
Average users -- ie, possibly none of us reading this note, but
possibly all of us, too, and certainly me -- are astonishingly good
at getting confused among the different signals placed on a screen.
(And elsewhere in real life, but let's stay within our own area of
concern.)
I don't have the/an answer, but I do not know the procedure you
describe is only capable of working
a) when considered in the context of the many *different* signals
an average user will get, as your model is expanded to include other
trust certifiers (doctors, accountants, lawyers, city government,
charities, credit agencies, ...), and
b) when validated empirically within an environment having such a mix.
Not to mention what they'd do when they got a Dutch Ruble or a French
Kroner.
The other thing here is that I think that it subtly assumes that there's
trust within
the group subsumed under the symbol, which doesn't seem especially good. Not
to mention that the Giver of the Golden $ Seal is a great way to create
a trust or
other abusive old boy's clubs.
It's not entirely clear to me that what we shouldn't be placing more
emphasis on
doing the things that make law enforcement more possible though.
Mike, does this have anything to do with SSP or DKIM though?
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html