[ietf-dkim] Collection of use cases for SSP requirements
Dave Crocker
dhc at dcrocker.net
Fri Nov 10 07:49:38 PST 2006
Charles Lindsey wrote:
> On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc at dcrocker.net> wrote:
>
>
>> As soon as banks start signing their messages and there are credible
>> whitelists for their domain names, doesn't this end the ability for
>> phishers to use those domain names in the rfc2822.From field?
>
> I fail to see how "credible whilelists" are going to work. You cannot
> expect all the millions of honest internet users to get into such
DKIM is about domain names, not users. This means "organizations" and not
"users". I do not see why we cannot expect organizations to get on whitelists.
> whitelists. Rather, it seems that what is suggested is that there will
> exists whitelists of "respectable banks".
There will probably be many different whitelists. Some will be for specific
categories of senders, and others will be broader. Note that the non-Internet
world already has lots of whitelists and we have learned how to deal with them.
(For example, Michelin for restaurants.) Some are better than others... We
develop a means of ranking them.
> But how do you tell, automatically, that a message is from a "bank", and
> therefore ought to be ignored if it is not whitelisted?
Please review John Levine's note of today.
> But you still have the problem of educating users to expect such
> texts/headers, and educating them to do that is just as hard as
> educating them to recognise present-day phishes
Teaching users to recognize a symbol on the screen that means "safe" is not as
difficult as teaching them to recognize the various forms of deception used by
phishers. (Again, see John Levine's note.)
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
More information about the ietf-dkim
mailing list