[ietf-dkim] Collection of use cases for SSP requirements

Charles Lindsey chl at clerew.man.ac.uk
Sat Nov 11 04:26:44 PST 2006 

On Fri, 10 Nov 2006 15:49:27 -0000, Dave Crocker <dhc at dcrocker.net> wrote:

> Charles Lindsey wrote:
>> On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc at dcrocker.net>  
>> wrote:
>>
>>> As soon as banks start signing their messages and there are credible  
>>> whitelists for their domain names, doesn't this end the ability for  
>>> phishers to use those domain names in the rfc2822.From field?
>>  I fail to see how "credible whilelists" are going to work. You cannot  
>> expect all the millions of honest internet users to get into such
>
> DKIM is about domain names, not users.  This means "organizations" and  
> not "users".  I do not see why we cannot expect organizations to get on  
> whitelists.

Sure. s/millions of honest internet users/tens of thousands of domains  
used by millions of honest internet users/.
>
>
>> whitelists. Rather, it seems that what is suggested is that there will  
>> exists whitelists of "respectable banks".
>
> There will probably be many different whitelists.

Which still leaves the question of which whitelist(s) you apply to each  
particular mail. Granted that final delivery agents, who are likely to do  
the verifying, can make a slightly better guess at this than the average  
end user, it is still a near-impossible task.

>> But how do you tell, automatically, that a message is from a "bank",  
>> and therefore ought to be ignored if it is not whitelisted?
>
> Please review John Levine's note of today.

Sorry, I didn't identify any note from John relating to whitelists.

> Teaching users to recognize a symbol on the screen that means "safe" is  
> not as difficult as teaching them to recognize the various forms of  
> deception used by phishers.  (Again, see John Levine's note.)

The first thing you need to do is to ensure that the symbol appears with  
high reliability on the message. There is nothing like too many false  
negatives to put people off the whole idea.

And the second thing is to teach the users a simple rule to recognize  
which messages might be expected to bear that symbol. "You tell me that I  
should ignore messages without that symbol, but the messages I get from  
Aunty Mary never have that symbol on them".

The third thing is to prevent the bad guys from causing that symbol to  
appear (which depends on the exact nature of the protocol which puts it  
there, which we have not yet examined yet).

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

More information about the ietf-dkim mailing list