On Fri 2015-03-20 13:43:27 -0400, Bob (Robert) Cavanaugh wrote: > One thought to add to the mix: Phishng attacks by having > unknowledgable users "click on this link" are pretty > successful. Doesn't this proposal open a new threat vector?
There are a lot of proposals in this thread, and you didn't trim the quoted text to isolate just one of them; can you be specific about which one you're talking about? I think you're talking about the proposal to have a verification service send regular e-mails asking users to follow up on them. If the followup is just "click this link" then i agree it's probably encouraging bad habits. What if the suggested followup was an e-mail reply? What if we require the verifier to sign its outbound messages, and tell users "don't do this unless the message is signed by the verifier"? I'm still not sure how useful this is in the big picture -- is such a verifier only for first-contact, or is it supposed to be useful longer-term as well? --dkg _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users