[ietf-dkim] Collection of use cases for SSP requirements

[Dave Crocker]

John Levine wrote:
>>>> But how do you tell, automatically, that a message is from a "bank",  
>>>> and therefore ought to be ignored if it is not whitelisted?
> 
> Your computer doesn't tell automatically, you tell by looking at it.
> This is a task that humans do much better than computers do.  As I
> said:
> 
>  On the other hand, if we encourage whitelists of real banks, the
>  user's model is like this:
> 
>  1) Incoming message appears to be from a bank.
> 
>  2) Does the MUA show the golden dollar sign that means it's from a
>  real bank?
> 
>  3) Done.

The above is intuitively reasonable.  Simple procedure.  Very solid logic basis 
for asserting trust.  Very solid method of signaling to the user.

The only question is whether it would work.

There is some indication that it won't. (I know of a vendor who tried the 
approach you describe and their research caused them to fall back to something 
much simpler.)

Average users -- ie, possibly none of us reading this note, but possibly all of 
us, too, and certainly me --  are astonishingly good at getting confused among 
the different signals placed on a screen.  (And elsewhere in real life, but 
let's stay within our own area of concern.)

I don't have the/an answer, but I do not know the procedure you describe is only 
capable of working

    a) when considered in the context of the many *different* signals an average 
user will get, as your model is expanded to include other trust certifiers 
(doctors, accountants, lawyers, city government, charities, credit agencies, 
...), and

    b) when validated empirically within an environment having such a mix.

d/

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net