On Saturday 09 September 2006 12:07, Dave Crocker wrote: > Wietse Venema wrote: > > Here is an example why first-party signatures can be dangerous. > > Right. > > They key point, to me, is that a signature by the rfc2822.From domain is > likely to help control against some existing types of phishing, but it > clearly will not help against others. > I don't think anyone would disagree with this.
> Worse, we have no empirical data about what is or is not effective, in > helping end-users to detect phishing. So, to the extent that end-users > figure into anyone's expectations about DKIM's benefits against > phishing, we are flying quite blind. > The best way to help end-users avoid getting phished it to not accept phishing messages for delivery. DKIM-SSP where strict policy statements are published offer a mechanism for this. From my perspective, the utility of DKIM as it relates to end-users is, I agree, quite uncertain. > Therefore, to the extent that anyone touts a DKIM-based mechanism as > defeating phishing, we run the risk of undermining all of DKIM's > credibility, by setting expectations far too high. > Agreed. Is anyone doing this? Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
