Re: [mailop] BIMI pilot @ Google

Sat, 25 Jul 2020 14:51:07 -0700 

On 7/25/2020 2:06 PM, Jaroslaw Rafa via mailop wrote:

Dnia 25.07.2020 o godz. 13:21:02 Dave Crocker via mailop pisze:


DKIM is intended for use by receiving filtering engines, not
end-user evaluation.

Apparently you believe that displaying security-related information
to end-users is helpful?


It's not me who claimed here "if your bank sends you authenticated mail that
your server verifies you’re sure it is from their server and not from a
hacked machine emitting bank phish", meaning DKIM by that.



Except that DKIM is not design to do anything like that.  It has 
completely different semantics.




I was - in response to this - claiming that actual signing of the message by
S/MIME (as my bank does) is a better method of proving the message's
authenticity than DKIM, which mail clients mostly ignore, so "you", as the
recipient (human recipient, not the receiving server), are unable to verify
if the email is really from your bank or not. You are basically confirming
this by writing that DKIM is not intended for end-user evaluation (although
Gmail shows the DKIM verification result to the user).



But you appear to be asserting that end-users will use s/mime validation 
to useful effect.  The problem is that typical users won't, no matter 
how the authentication/validation is done.




So I don't understand why are you suggesting that I "believe that displaying
security-related information to end-users is helpful" and what exactly do
you mean by this.



Your text: "The fact that the message is signed is prominently displayed 
by two email clients" was the reason.





For example displaying information that the message is digitally signed
(S/MIME) and the signature is valid (or not) *is* definitely helpful.



In theory, yes.  In practice, if the goal is evaluation by the recipient 
end-user, it isn't.




Displaying in web browser that the site has valid HTTPS certificate is
helpful as well.


That's been well-demonstrated to NOT have an effect on end-user assessment.

d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
























					Reply via email to