On Sep 8, 2006, at 1:26 PM, Dave Crocker wrote:
We should that kind of balancing in mind particularly when we find
ourselves tending to believe that it will provide extensive and
basic protection against determined and sophisticated attacks. It
won't, particularly with respect to interesting forms of phishing
attacks. Phishing fundamentally entails tricking humans. There is
no known technique -- computer-based or otherwise -- for
guaranteeing that humans will not be tricked. So the broad
statements about the use of DKIM, in the service of generically
stopping phishing, are quitey simply invalid.
I agree. DKIM by itself may only slightly slow the rate of
successful phishing attempts.
DKIM used in conjunction with an intelligent MUA annotating email-
addresses found within the address-book when assured valid by
associated DKIM signing domains, can significantly reduce the success
rate of phishing attacks. These annotations should become the gold-
standard before recipients act. This should also improve the open
rate of valid messages. This could be seen as being analogous to
that of the browser lock-symbol. To help boot-strap this effort,
policy could assist this effort by also offering specific email-
addresses assured by listed domain.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
