[79487] in cryptography@c2.net mail archive
Re: Failure of PKI in messaging
daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Feb 15 09:31:36 2007
From: Florian Weimer <fw@deneb.enyo.de>
To: "James A. Donald" <jamesd@echeque.com>
Cc: Metzdowd Crypto <cryptography@metzdowd.com>
Date: Wed, 14 Feb 2007 21:44:07 +0100
In-Reply-To: <45D0DF6B.8020200@echeque.com> (James A. Donald's message of
"Tue, 13 Feb 2007 07:43:07 +1000")
* James A. Donald:
> Obviously financial institutions should sign their
> messages to their customers, to prevent phishing. The
> only such signatures I have ever seen use gpg and come
> from niche players.
Deutsche Postbank uses S/MIME, and they are anything but a niche
player. It doesn't help against phishing in the sense that deters the
attackers and reduces the PR impact.
> I have heard that the reason no one signs using PKI is
> that lots of email clients throw up panic dialogs when
> they get such a message, and at best they present an
> opaque, incomprehensible, and useless interface. Has
> anyone done marketing studies to see why banks and
> massively phished organizations do not sign their
> messages to their customers?
Why bother, when it's been shown it doesn't make a difference?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
