On Apr 18, 2009, at 2:46 PM, Steve Atkins wrote:
On Apr 18, 2009, at 2:29 PM, Hector Santos wrote:
What bothers me though is that much of whats going on is being done
by 14-18 years old who IMO lack experience in social engineering
and ethical design considerations. To them the idea of COOKIES and
JAVASCRIPT being disabled is unthinkable.
The lesson here is that irrational paranoia can damage useful http
standards.
After untold users had systems compromised by zero-day browser script
exploits, and a vendor recently taking weeks to issue repairs for
several versions of their OS, why would anyone describe browser
related security concerns irrational? Once compromised, systems
appear to typically remain so, based on observed email behaviors.
The adopted an Authentication-Results header, while okay for DKIM,
intentionally excludes a means to inhibit annotations based upon CGNs
authorizations, for example. Security should not become secondary to
unsupported statements or unsupportable schemes aimed at retaining an
allusion of security. In the face of polymorphic threats, greater
reliance on source authentications is required, where possibly
vulnerable browsers are often used to read email.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html