[ietf-dkim] Collection of use cases for SSP requirements
chl at clerew.man.ac.uk
Sat Nov 11 04:26:44 PST 2006
On Fri, 10 Nov 2006 15:49:27 -0000, Dave Crocker <dhc at dcrocker.net> wrote:
> Charles Lindsey wrote:
>> On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc at dcrocker.net>
>>> As soon as banks start signing their messages and there are credible
>>> whitelists for their domain names, doesn't this end the ability for
>>> phishers to use those domain names in the rfc2822.From field?
>> I fail to see how "credible whilelists" are going to work. You cannot
>> expect all the millions of honest internet users to get into such
> DKIM is about domain names, not users. This means "organizations" and
> not "users". I do not see why we cannot expect organizations to get on
Sure. s/millions of honest internet users/tens of thousands of domains
used by millions of honest internet users/.
>> whitelists. Rather, it seems that what is suggested is that there will
>> exists whitelists of "respectable banks".
> There will probably be many different whitelists.
Which still leaves the question of which whitelist(s) you apply to each
particular mail. Granted that final delivery agents, who are likely to do
the verifying, can make a slightly better guess at this than the average
end user, it is still a near-impossible task.
>> But how do you tell, automatically, that a message is from a "bank",
>> and therefore ought to be ignored if it is not whitelisted?
> Please review John Levine's note of today.
Sorry, I didn't identify any note from John relating to whitelists.
> Teaching users to recognize a symbol on the screen that means "safe" is
> not as difficult as teaching them to recognize the various forms of
> deception used by phishers. (Again, see John Levine's note.)
The first thing you need to do is to ensure that the symbol appears with
high reliability on the message. There is nothing like too many false
negatives to put people off the whole idea.
And the second thing is to teach the users a simple rule to recognize
which messages might be expected to bear that symbol. "You tell me that I
should ignore messages without that symbol, but the messages I get from
Aunty Mary never have that symbol on them".
The third thing is to prevent the bad guys from causing that symbol to
appear (which depends on the exact nature of the protocol which puts it
there, which we have not yet examined yet).
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-dkim