On Thu, Jan 18, 2007 at 07:05:25AM -0800, Matthew Black wrote:
This presupposes that corporations have a more significant claim to domain names than individuals.
Not necessarily; if I am providing login details to a phishing site, I have probably visited the actual business web site before to create those credentials in the first place. Were they to use a consistent naming strategy, for example always using the same suffix, then I have a simple rule for avoiding [most] phishing sites; validate the suffix. More generally, authenticating the identity of someone you share a piece of information (or history) with is a much more tractable problem than authenticating someone you don't share anything with. That is probably unsolvable via technical means. As you point out, there still exists the risk of providing personal details to the wrong site, but phishing sites so far haven't commonly focused on gathering details for future identity fraud. -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>