On Sep 12, 2006, at 9:41 AM, Thomas A. Fine wrote:
Without SSP, users have two opportunities for making mistakes in
verifying their mail. They can fail to notice that it is unsigned,
or they can fail to notice that it is from a wrong domain.
SSP that blocks unsigned messages still offers a large opportunity to
get this wrong. Phish commonly avoid using the exact domain to avoid
being filtered. You are assuming visual examination of a domain is a
reliable, but it is not. There are still too many being fooled to
curtail this criminal activity. The majority of users only see the
Display name without additional clicks. We are also entering an era
where it is also likely that the character repertoire being used is
unknown.
With SSP, users only have to look for the wrong domain, because
they should never see the unsigned mail.
Unsigned email might be block unless the email-address domain wants
access to common services, or wants reliable delivery, or the
verifying domain does not block based upon this policy. Will this
blocking strategy lead to legal obligations of blocking these messages?
Maybe someone who's an expert in human factors can relate this to
statistical decrease in errors by the user. My feeling is that the
less a user has to worry about, the more likely they are going to
successfully examine their message and determine it's origin.
Provide the user a strong trustworthy annotation that:
a) the email-address within the message matches the one in their
address-book,
b) and that this email-address has been asserted valid with DKIM.
This strategy does not require providers to block any message,
grandma to get out her magnifying glass, or junior to reconfigure
grandma's the client to use 14 point font, not display translated ACE
labels or display names and to post next to her display terminal the
exact spelling of her important transactional email domains.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
