[ietf-dkim] Review of draft-fenton-dkim-threats-01
ekr at networkresonance.com
Sat Oct 29 14:06:25 PDT 2005
Eliot Lear <lear at cisco.com> writes:
>> I'm not sure if that argument requires a plan to build a reputation
>> system. However, if the argument is going to be such that a reputation
>> system is required, then, considering that that's probably the
>> hard bit, I would tend to think that such a plan would be useful, no?
> Useful? Yes. Is it something the IETF should do? I doubt it. It
> strikes me that is the province of vendors at this point. After all,
> what would the IETF standardize right now? A mother-may-I protocol?
> How would it differ from a DBL?
All good questions, but to the extent to which DKIM's usefulness
depends on the answers, I think they need to be addressed first.
> Is this something SOMEBODY should do?
> Absolutely. And we know it will be done because it is being done
> But let me also say that even without reputation the system is still
> useful in stopping phishing attacks. So much so that you recently saw
> a note from folks at ebay explaining why this would be useful to them
> even if a reputation system was never developed.
I understand that people believe this to be the case. However, given
that phishing basically depends on either domain name confusion or
domain name hijacking, I don't consider that there have been
particularly strong arguments made for why it would in fact
help (this goes back to my comments on the draft).
More information about the ietf-dkim