Nate Leon wrote:
I expect it will take years before all MUAs are updated (and widely
deployed) to display the PRA, which I do not think is an acceptable
timeframe to put a serious dent into phishing attacks.
My personal opinion is that solutions to the phishing problem
absolutely require changes to MUAs. It is simply not enough
to tell all email users to start trusting that email is "more
secure" after some date when Sender ID goes to RFC.
There needs to be some way that recipients can easily distinguish
mail that has been authenticated versus mail that has not. Period.
Until that happens and people understand the difference, the phishing
problem is unlikely to go away. The closest analogy I can think of
is that once upon a time, there was no SSL on the Web. But HTTP over
SSL wasn't enough to secure the Web. The lock icon in the browsers
were needed too so users could tell the difference between what is
trustworthy and what is not.
Daryl Odnert
Tumbleweed Communications
Redwood City, California