On 07/03/06, Julian Mehnle <julian(_at_)mehnle(_dot_)net> wrote:
Anyway, there are far fewer domain owners than end-users, so that should
explain SPF's structural advantage over PGP. But I agree that PGP is the
definite solution to the forgery problem. Banks, eBay, etc. should really
form a cooperative initiative and start propagating PGP to their users
instead of inventing silly workarounds like "never click links in e-mails
claiming to come from us".
Worse, they don't even bother creating an appropriate domain trust
paths, which you could follow from the trusted domain to the
newly-introduced-feature domain.
Just a recent example: www.firstfeddirect.com. Is it authorised by
www.firstfedca.com? How do I know if it is? Why do I find no links
from firstfedca.com to firstfeddirect.com? Why do they register
another domain, instead of using a subdomain like any sane person
would do?
fdic.gov tells me that firstfedca.com is the official web-site of
First Federal Bank of California, and that the savings are insured. It
doesn't tell me anything about firstfeddirect...
I now assume that firstfeddirect.com are fraudsters, and will go back
to emigrant-direct.com (which does have proper links from
emigrant.com) and HSBC (which doesn't bother with dodgy domains in the
first place)...
Cheers,
Constantine.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com