Failure of PKI in messaging
Florian Weimer
fw at deneb.enyo.de
Wed Feb 14 15:44:07 EST 2007
* James A. Donald:
> Obviously financial institutions should sign their
> messages to their customers, to prevent phishing. The
> only such signatures I have ever seen use gpg and come
> from niche players.
Deutsche Postbank uses S/MIME, and they are anything but a niche
player. It doesn't help against phishing in the sense that deters the
attackers and reduces the PR impact.
> I have heard that the reason no one signs using PKI is
> that lots of email clients throw up panic dialogs when
> they get such a message, and at best they present an
> opaque, incomprehensible, and useless interface. Has
> anyone done marketing studies to see why banks and
> massively phished organizations do not sign their
> messages to their customers?
Why bother, when it's been shown it doesn't make a difference?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list