On Mon, 2014-06-09 at 21:39 +0200, J. Gomez via dmarc-discuss wrote: > On Sunday, June 08, 2014 7:22 AM [GMT+1=CET], David Woodhouse via > dmarc-discuss wrote: > > > On Sat, 2014-06-07 at 16:42 -0400, Larry Finch via dmarc-discuss > > wrote: > > > > > > DMARC really sounded good when it was first defined and spec’d. And > > > it DOES prevent spoofing a Yahoo or AOL address, but does nothing to > > > prevent spoofing a Yahoo or AOL user, (or Chase, Wells-Fargo, Bank > > > of America, etc) as my inbox has proven over the past few days. > > > > For the banks, there's a much simpler solution anyway. Banks should be > > S/MIME-signing all their customer-facing outbound mail, and a customer > > should know with 100% certainty that if they get a mail which isn't > > S/MIME signed with the bank's certificate, it's a fake. > (...) > > Any bank *not* signing its direct-to-customer email should be > > prosecuted as an accessory to fraud which it is enabling by actively > > training its customers to succumb to phishing :) > > Nice. And how is the bank supposed to get hold of all of his clients' > public keys in order to S/MIME sign all the mail said bank sends to > all his clients.
That isn't necessary. I don't have your public key, if indeed you have one. But my mail is still signed and your MUA ought to show that. Or worst case, your MUA does nothing and you can still read my email anyway. But even crappy not-really-email systems like Exchange+Outlook can handle S/MIME properly. And the Android mailer, etc. Remember, we're talking about *signing*, not encryption. (Not that it's hard to allow a user to register a key through the online banking system and thus allow encryption too, but that's not what we were talking about, and that would indeed require an abnormal level of clue on the part of the user.) -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
