Email-only UIDs and verification

[Ville Määttä]

On 20.03.15 20:47, Daniel Kahn Gillmor wrote:
> On Fri 2015-03-20 13:43:27 -0400, Bob (Robert) Cavanaugh wrote:
>> > One thought to add to the mix: Phishng attacks by having
>> > unknowledgable users "click on this link" are pretty
>> > successful. Doesn't this proposal open a new threat vector?

Yeah… I don't really see much of a problem as proposed by Bob. Any
verification emails for any purpose should always be related to an
action the user did very recently. I.e. they visited a site or used an
application, whatever the route and method but they should already /be
expecting an email verification/.

> If the followup is just "click this link" then i agree it's probably
> encouraging bad habits.

Any verification should certainly be worded better, yes :).

> What if the suggested followup was an e-mail
> reply?  What if we require the verifier to sign its outbound messages,
> and tell users "don't do this unless the message is signed by the
> verifier"?

Good ideas.

-- 
Ville

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150321/86941289/attachment-0001.sig>