John R Levine
johnl@iecc.com
Mon Jun 20 04:02:08 UTC 2005
> I've had very little success in convincing anyone of what I see as > insurmountable problems for almost all authentication based ides for > fixing phishing--or any spam. How do you solve the key distribution > problem? The only idea I've had that seems even remotely workable is branded per-industry signing certificates. That is, the signer is a regulator or trade association who already knows who the legitimate entities are, like the FDIC for banks in the US. The signing key would have a logo in it, something there's already a field for in SSL certs, and the mail program or browser would display the signer's logo when it validated a cert. Then you tell people that if it doesn't have the FDIC logo, it's not from your bank. The counter attack is to trick people into installing a rogue cert with a logo just like a famous signer's. With current MUAs and web browsers, that's so easy that there's no point in signing. R's, John PS: > Then there is the legitimate mail from professional spammers to their > friends, colleagues, suppliers, and customers. Oh, they don't send that through the zombie nets.
More information about the DCC
mailing list
