On 9/13/2014 1:09 PM, John C Klensin wrote:
For that second one, remember that a lot of MUAs only show the
comment on the From: line, not the address.
I've often wondered how many successful phishing attacks we
could stop by issuing a "best practices" statement pointing out
the risks and difficulties associated with that
address-suppression practice.
Like most user interface ideas, it's an entirely reasonable line of
inquiry.
However based on the experience of 'usable security' folks, there's also
quite a bit of evidence that it would make no meaningful difference.
The best model to invoke, with respect to the idea of recruiting end
users to be active participants in abuse detection or prevention is
mostly:
Don't.
That's a reality that tends to be rejected or ignored around the IETF,
so it would be quite nice to see proposals offer an empirical basis for
expecting efficacy.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net