Mikko Hypponen of F-Secure has responded to the criticism of his .bank proposal, and specifically my criticism of it.

He acknowledges the obvious, that phishers would still be able to use tricky domain names (one person has suggested .ba.nk, such as www.citi.ba.nk, out of North Korea) in order to fool users (and security programs) who don't read the domain name very carefully.

He also agrees with Dave Goldsmith's suggestion that the point of it all isn't really that users be able to trust URLs, but that security software could more easily whitelist .bank domains and scrutinize others for .bank-like behavior.

One of my main suggestions was that EV-SSL certificates create the same confidence in a more obvious way to the user and Mikko also likes EV-SSL, but thinks .bank is the belt supporting EV-SSL's suspenders. I guess it's not a bad thing in this sense, especially since .bank domains require SSL of one form or another to authenticate themselves. But one clearly takes wind out of the other's sails, and EV-SSL is already implemented.

Each government would have to decide what is a bank that qualifies for .bank designation. But Mikko's not clear on whether, for example, British banks would use .bank or .bank.uk. How about credit unions in the United States? Perhaps they'd get .bank (they're adamant that they're not banks, even though they perform bank-like functions), or maybe they'd need a .credit domain.

I'm still leery of the value of the proposal, even to security programs. A proposal like this takes a long time to come to fruition under the best circumstances, so a continuing debate on the matter seems like the right thing to do. If you can convince banks to blow the money on it then I don't see a reason to deny them.