>Yes, it is difficult and I think it's one of the biggest barriers to getting a >common >solution for trusted senders. I don't think that your solution of >authentication-only is >enough, as I explain below.
It doesn't have to be one list. Many of the prime phish targets are in regulated industries, so there already lists of who the real entities are. A list of domains of actual banks, published by a regulator like the FDIC or a trade association like the ABA, would be a good start. I suggested about a decade ago to a guy from the FDIC that they should set up a CA and sign the certs of the banks they insure. Good idea, he said, and nothing came of it. _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
