Re: [Bimi] (non)desire for bimi

[Richard Clayton <richard@highwayman.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <6929D4C0-FE58-43E9-9605-98F040308B74@skyelogicworks.com>,
Thede Loder <thede=40skyelogicworks.com@dmarc.ietf.org> writes

>(That said, none of BIMI’s proponents are arguing that end users' choices 
>resulting from the display of logos will be a primary or substantive cause of 
>improvement in outcomes.  No one is saying that this mechanism should even be 
>considered for reasons other than for its potential to reduce safety.

     increase ?

>  If you 
>see language in the documentation asserting otherwise, please bring it to the 
>group’s attention )   

from the front page of the brand indicators website:

     "What If You Could Put Your Brand On Every Email and Users Could
     Trust It’s You?"

     "will use brand logos as indicators to help people avoid fraudulent
     email"

     "When users see your logo, they’ll trust the email"

     "Stop Phishing"

this reads to me that an improvement in outcomes is a key aim of BIMI
since there is very little other substantive messaging there:

Except of course it also says

     "giving marketers a huge new opportunity to put their brands in
     front of consumers for free"

     "we believe brand indicators will increase response rates,
     magnifying the power and reach of our marketing efforts."

But I look forward to the "forest" document which sets out the high
level of what is intended to be achieved, so that it is possible to
assess the technical suggestions against that...

... and yes, if the main driver here is marketing then say so and the
effort can be properly tuned, by those who are prepared to work on the
standard effort, to get that right.

But Aims first, Tech Details second: No point talking about certificate
pinning if there will only ever be one CA for example.

>The other reason I asked the question above was to motivate disclosure of 
>additional objections to BIMI.

it's hard to object to generic aims if they aren't documented and appear
to dilettantes like me to change with the year

>Regarding D, let’s begin a larger discussion of costs.  Given your experience, 
>where do you see the costs in doing a standard?  

Hiring me to read your last email, check your website text and proofread
the brief response that I have penned here would likely cost you $100 at
my chargeout rate.

The opportunity cost of doing this email rather than working on better
schemes for mitigating list bombing (say for a concrete example) is
substantially more than $100 given the cost to the community (and
particular victims) of that abuse.

Multiply my small contribution by all the experts who need to keep up
with email lists, consider the consequences of minor changes, brainstorm
major improvements etc. and you will soon be talking substantial sums. 

The IETF does not pay for the expertise they garner (and I think would
probably be rather worse off if they did) but "opportunity cost" is the
key issue here -- in my view.

- -- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBXGrpOzu8z1Kouez7EQJpCgCgn0xQxK5o32eG/EaZE8+oyHP/BW0AoKy1
7lI+D0FR5Peva1oVxKzgBluR
=Mh0c
-----END PGP SIGNATURE-----