- From: George Staikos <staikos@kde.org>
- Date: Thu, 15 Jun 2006 00:55:02 -0400
- To: "Undisclosed.Recipients": ;
- Cc: public-usable-authentication@w3.org
On Monday 12 June 2006 09:10, Hallam-Baker, Phillip wrote: > Let's remember that this is not break once run anywhere, we are not doing > drm. > > We are not protecting a single unique asset. This is a percentages game. > Even if we only protect the vigilant that is a success. > > We are not trying to prevent phishing here, I think the WARP bof at the > ietf is also misnamed, we are not even necessarily aiming to reduce > phishing with this single change by itself. > > What we are trying to do is to provide one piece of an infrastructure which > together helps to reduce successful attacks. Excellent points. I also realized that some of us are talking about different things here. Some of us are talking about protecting users, others are talking about preventing successful phishes. I think they're both excellent goals, and are not identical. We should make it hard to phish, and that will make it hard to harm users. We should attempt to protect users, at least the most vigilant to start, and that will make it hard to phish them. They are complementary things but may require slightly different approaches. Blacklists don't make it hard to phish, just annoying. They do go a long way toward protecting users though. On the other hand, closing software security holes doesn't directly protect all users, but it does make it harder to phish since there are fewer vectors and probably more tedious ones left. We need to tackle both of these things, and find effective ways to do it, especially without confusing the two too much. -- George Staikos KDE Developer http://www.kde.org/ Staikos Computing Services Inc. http://www.staikos.net/
Received on Thursday, 15 June 2006 04:52:59 UTC