Failure of PKI in messaging

Florian Weimer fw at deneb.enyo.de
Wed Feb 14 15:44:07 EST 2007


* James A. Donald:

> Obviously financial institutions should sign their
> messages to their customers, to prevent phishing.  The
> only such signatures I have ever seen use gpg and come
> from niche players.

Deutsche Postbank uses S/MIME, and they are anything but a niche
player.  It doesn't help against phishing in the sense that deters the
attackers and reduces the PR impact.

> I have heard that the reason no one signs using PKI is
> that lots of email clients throw up panic dialogs when
> they get such a message, and at best they present an
> opaque, incomprehensible, and useless interface.  Has
> anyone done marketing studies to see why banks and
> massively phished organizations do not sign their
> messages to their customers?

Why bother, when it's been shown it doesn't make a difference?

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list