>Suppose we have a messaging service that, like Yahoo, is >also a single signon service, ...
Then you just change the attack model. There are a bunch of sites that do various things with your address book ranging from the toxic Plaxo which slurps it up and sends spam to everyone in it masquerading as an address change message from you to more reasonable ones like LinkedIn which offers controlled messaging to friends of friends. Since typing in address book info by hand is hard, a lot of them sync with your existing Outlook addressbook via a plugin, and some of them also offer to sync with your Yahoo or or Gmail or Hotmail address book. What a bad idea -- those are single signon systems. If you've ever bought anything at one of their hosted stores or use one of their premium services, it's the same credential that lets people charge stuff to your credit card. It gets even messier. Look at a configurable aggregator page like the very spiffy Netvibes. It has modules to check mail at AOL, MSN, Yahoo, Gmail, and your POP provider, all conveniently remembering your login info. As far as I know Netvibes is reliable and competent, but they have an extension API that lets anyone write extension modules and offer them to Netvibes users. I realize that readers of this list will use separate accounts for financial info and free webmail, but the other 99.9% of people in the world will be delighted that they only have one password to write on a post-it rather than six. It should be obvious why overloading phish protection onto this is an equally bad idea -- it drops the security of the phish protection to the security of the sleaziest aggregator module or address book site that someone might use, and puts valuable financial and antiphish info in the same security bucket as the three most recent subject lines from your web mail. Thanks, but no thanks. R's, John --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]