Email-only UIDs and verification
mailing-lists at asatiifm.net
Sat Mar 21 16:23:33 CET 2015
On 20.03.15 20:47, Daniel Kahn Gillmor wrote:
> On Fri 2015-03-20 13:43:27 -0400, Bob (Robert) Cavanaugh wrote:
>> > One thought to add to the mix: Phishng attacks by having
>> > unknowledgable users "click on this link" are pretty
>> > successful. Doesn't this proposal open a new threat vector?
Yeah… I don't really see much of a problem as proposed by Bob. Any
verification emails for any purpose should always be related to an
action the user did very recently. I.e. they visited a site or used an
application, whatever the route and method but they should already /be
expecting an email verification/.
> If the followup is just "click this link" then i agree it's probably
> encouraging bad habits.
Any verification should certainly be worded better, yes :).
> What if the suggested followup was an e-mail
> reply? What if we require the verifier to sign its outbound messages,
> and tell users "don't do this unless the message is signed by the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 648 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users