On Mon, 2006-09-11 at 21:14 -0700, Steve Atkins wrote: > > I don't expect MUAs to pop up warnings or anything similar when they > seen unsigned mail. I wouldn't be surprised to see something akin > to a web browser "locked padlock" or colored browser bar GUI element, > but I think it would be a big mistake and a big disservice to users to > do that. > > There are several reasons I think that it would be a mistake, but the > dominating one is that a message being signed doesn't mean that > it's trustworthy (of which the c1t1bank.com problem, and it's i18n > parallels is just one example).
I agree with this point. However, when an email-address has been retained in a third-party list of valid identities, or within a recipient's address-book, messages _can_ receive safe annotations not prone to these look-alike attacks. The annotations would be based upon DKIM assured email-addresses compared against these retained email-addresses. The use of an address-book may require conventions of using pass-phrases in initial messages. This pass-phrase could be something the recipient enters at a web site to ensure proper recognition when a related email does arrive. Once entered into the address-book, their messages can receive proper annotations. This is safer and simpler to administer than deciding how to triage messages with damaged signatures and wondering how much email disappears into the DKIM cracks. Annotation should allow recipients to drill-down on the related details much as with a browser annotations. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
