John Levine writes:

 > People made this suggestion for l= DKIM signatures, too.

l= DKIM signatures are a bad idea, precisely because in existing MUAs
there will be no indication of what is covered by the signature, and
what not.  "Nobody" does that.

But now mailing lists and other mediators are going to be
systematically sidestepping DMARC, but (as we've seen with Yahoo!
Groups already) still using "p=reject" mailboxes as identification.
We know this is going to happen on a large scale.

 > It strikes me as hugely confusing, since it provides no useful
 > answer to "should I believe this message or not?"  Someone thinks
 > it's bad, but it looks OK.  Who do I believe?

You believe what you believe, of course.

The problem with the usual browser notification about unverifiable
certificates is that it is too technical for most users to grasp, and
they are unable to perform the necessary operations to determine
whether it's secure.  I don't know how to do any of this right, but
surely it's worth trying to do better than we do it now.

 > A note about why a message was put in the spam folder seems OK, since
 > it is not demanding that the user make a security decision.

ISTM that's just a different UI for the same semantics.

I don't understand what you mean by "not demanding that the user make
a security decision."  If they continue reading the message ("because
it's from Aunt Sally"), and take action on it, they may be defrauded.
If they leave the message alone until they get corroboration through
other channels, the probability is much less.  In that sense they are
making a security decision.

Steve



_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to