[ietf-dkim] Collection of use cases for SSP requirements

[Charles Lindsey]

On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc at dcrocker.net> wrote:


> As soon as banks start signing their messages and there are credible  
> whitelists for their domain names, doesn't this end the ability for  
> phishers to use those domain names in the rfc2822.From field?

I fail to see how "credible whilelists" are going to work. You cannot  
expect all the millions of honest internet users to get into such  
whitelists. Rather, it seems that what is suggested is that there will  
exists whitelists of "respectable banks".

But how do you tell, automatically, that a message is from a "bank", and  
therefore ought to be ignored if it is not whitelisted? Will messages from  
banks routinely carry text or headers which say "this message is from a  
bank, and is to be ignored if it is not whitelisted". Naturally, phishers  
will not include such texts/headers (or they will include them in a subtly  
altered form).

But you still have the problem of educating users to expect such  
texts/headers, and educating them to do that is just as hard as educating  
them to recognise present-day phishes (I expect most people do, but enough  
people don't for the phishers to make a decent living, it seems).

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5