[ietf-dkim] Collection of use cases for SSP requirements

Dave Crocker dhc at dcrocker.net
Thu Nov 9 11:05:11 PST 2006 


Michael Thomas wrote:
>> Phishing doesn't have to use the real domain. There are *countless* ways of
>> phishing that don't require it. ...
> 
> This assumes that social problems have to be solved only in the technical
> realm in order to be useful. I'm sure that John will snort his coffee through
> his nose, but training users to only expect to hear from paypal from
> paypal.com is most likely part of the solution. 


Unfortunately, I was in fact drinking coffee when I read this.  Even though my 
name is not John, there was indeed some risk of a nasal flush... happily just 
barely avoided.

However my own view is that it is entirely reasonable to include the possibility 
of user training in discussions about problems and solutions that directly 
involve users.

On the other hand, training users is known to be particularly difficult and to 
be plausible only when satisfying some rather severe constraints that ensure 
very high motivation, very simple mechanisms, very clear information, and a slew 
of additional "very"s.

Best of all is that the realm of human factors usability and training is 
entirely outside the skillset of an IETF working group, no matter the skills of 
any particular participant.

At a minimum, any proposal in the working group that entails multiple changes 
throughout the system -- such as including user training -- needs to specifify 
all of the components that need changing, what the changes need to be, and what 
the basis is for believing that the aggregate set of changes will have efficacy.

Oh, and it also needs to include a cost/benefit discussion, since anything 
entailing changing multiple components is certain to be expensive and likely to 
be risky.

Your following paragraph raised exactly this concern:

> Is this a whole solution? Of course not. We already know that no such silver
> bullet exists. Can or should we lessen the degrees of freedom in which bad
> guys can act? Sure seems like a reasonable idea to me. The only real question
> in my mind is whether this particular piece of technology is really worth the
> effort in the short/medium and long run. I think that reasonable people can
> have reasonable differences of opinion on that. For the dissenters, so long
> as there's not active harm what's the problem? Don't use it if you think it's
> useless.

d/

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net

More information about the ietf-dkim mailing list