On Monday, June 09, 2014 10:35 PM [GMT+1=CET], David Woodhouse wrote: > On Mon, 2014-06-09 at 21:39 +0200, J. Gomez via dmarc-discuss wrote: > > On Sunday, June 08, 2014 7:22 AM [GMT+1=CET], David Woodhouse via > > dmarc-discuss wrote: > > > > > On Sat, 2014-06-07 at 16:42 -0400, Larry Finch via dmarc-discuss > > > wrote: > > > > > > > > DMARC really sounded good when it was first defined and > > > > spec’d. And it DOES prevent spoofing a Yahoo or AOL address, > > > > but does nothing to prevent spoofing a Yahoo or AOL user, (or > > > > Chase, Wells-Fargo, Bank of America, etc) as my inbox has > > > > proven over the past few days. > > > > > > For the banks, there's a much simpler solution anyway. Banks > > > should be S/MIME-signing all their customer-facing outbound mail, > > > and a customer should know with 100% certainty that if they get a > > > mail which isn't S/MIME signed with the bank's certificate, it's > > > a fake. > > (...) > > > Any bank *not* signing its direct-to-customer email should be > > > prosecuted as an accessory to fraud which it is enabling by > > > actively training its customers to succumb to phishing :) > > > > Nice. And how is the bank supposed to get hold of all of his > > clients' > > public keys in order to S/MIME sign all the mail said bank sends to > > all his clients. > > That isn't necessary. I don't have your public key, if indeed you have > one. But my mail is still signed and your MUA ought to show that. Or > worst case, your MUA does nothing and you can still read my email > anyway. But even crappy not-really-email systems like Exchange+Outlook > can handle S/MIME properly. And the Android mailer, etc. > > Remember, we're talking about *signing*, not encryption.
Oh, OK, thanks for making it clear to me, I somehow undestood you were proposing encryption. Regards, J.Gomez _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
