Re: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt
Thede Loder <thede@skyelogicworks.com> Thu, 07 February 2019 20:48 UTC
Return-Path: <thede@skyelogicworks.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17750130E6C for <bimi@ietfa.amsl.com>; Thu, 7 Feb 2019 12:48:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=skyelogicworks.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MH-ndZmKuVR2 for <bimi@ietfa.amsl.com>; Thu, 7 Feb 2019 12:48:42 -0800 (PST)
Received: from mail-yw1-xc35.google.com (mail-yw1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 847F0130E6F for <bimi@ietf.org>; Thu, 7 Feb 2019 12:48:42 -0800 (PST)
Received: by mail-yw1-xc35.google.com with SMTP id n12so494193ywn.13 for <bimi@ietf.org>; Thu, 07 Feb 2019 12:48:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skyelogicworks.com; s=google; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=uS3OoT9fVd/HiRsg/2XBO5tsGtQyUA68YwIKlf0qVv4=; b=Odbuma6QFFoZjMKYXKs06G/rmb943A5uR64/1d3v4SBijnss8cLJF+/x+H4zENIJM0 YZSlOVxd0Xu4tL27Aahn2Vshpd651iO0x3QgUs3BOxu4luij00fWfSqMALCwNnLKzE0l LOMFfd5WLwjcdCnJoYDpWALPqISId/UNhNch0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=uS3OoT9fVd/HiRsg/2XBO5tsGtQyUA68YwIKlf0qVv4=; b=LACAIoij3wA7hRwfcR/LtlJ1NR5J3nFTC7ZdBcjkQ7iMO3PPBTJHYsvmmVY7U600vz dlk8wCej7/FvM/R/YjuK8bWsUakZC4UUUBn1SIIphcv3lKWGjWFlO3KxTsNKUNH/NCM7 bPM95xQA1zBLVQ0FatRDFZUGVsuKn+Ryj/XUg2qPQMStGKQYysMQfoVzine/ohj+nmsf h4oaxffnhA9e4Xu52826Rc97itmXjmvbE8Ej7Z5oNlmMLHFDcRMdp+FfbLOv8fNHMk/G IQTFgcZ+FoJluk+cvL1ECBNDtZkldMji0QGYMd3vanQ8F0mPkGubDSTeBUtEIerNEBqm GCuA==
X-Gm-Message-State: AHQUAuaJDFLdvPhb8h7+SK8gcMtYgcIL6VQc3QiS/5qO+L4s3EUSszoD KJQ3ocqKW0rjnF83we3xaryCHS/THCQ=
X-Google-Smtp-Source: AHgI3IaWJHaNnWJeqSFrJXts01vdQjD4Fr89qWendtG+f+6Cj5ZYR3H9qcFff6/TdEY2bifD56KC7A==
X-Received: by 2002:a0d:f286:: with SMTP id b128mr14953913ywf.46.1549572521103; Thu, 07 Feb 2019 12:48:41 -0800 (PST)
Received: from [10.1.200.76] (cpe-174-109-126-126.nc.res.rr.com. [174.109.126.126]) by smtp.gmail.com with ESMTPSA id v9sm11185ywh.2.2019.02.07.12.48.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 12:48:40 -0800 (PST)
From: Thede Loder <thede@skyelogicworks.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FA170565-2BF1-47FE-AC6E-1A5501B2449E"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Thu, 07 Feb 2019 15:48:39 -0500
References: <CAD2i3WMP=-id4aCexu71fXRiVkdN3L6v5p7E1yJVRAwk0vmkfA@mail.gmail.com>
To: Seth Blank <seth@sethblank.com>, bimi@ietf.org
In-Reply-To: <CAD2i3WMP=-id4aCexu71fXRiVkdN3L6v5p7E1yJVRAwk0vmkfA@mail.gmail.com>
Message-Id: <F88FEF71-F483-490D-9695-5A59238F5B0A@skyelogicworks.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/2rtNd4k6LI_o9HsI2Z_HAuD58FE>
Subject: Re: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 20:48:46 -0000
Seth, thanks for getting this rolling here! I will post comments on specific docs under different doc-specific threads where possible and suggest others do the same. Generally agree on the highlights - lots to cover and improve. Thede -- Thede Loder Managing Director, Skye Logicworks LLC E: thede@skyelogicworks.com M: 415-420-8615 > On Feb 6, 2019, at 15:10, Seth Blank <seth@sethblank.com> wrote: > > I've uploaded two documents as I-Ds to kick off IETF discussions around BIMI. Both these documents need a good deal of work, but are ready for public discussion. > > For BIMI publishing and usage: > - https://tools.ietf.org/html/draft-blank-ietf-bimi-00 <https://tools.ietf.org/html/draft-blank-ietf-bimi-00> > - https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00 <https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00> > > For logo validation: > - https://tools.ietf.org/html/draft-chuang-bimi-certificate-00 <https://tools.ietf.org/html/draft-chuang-bimi-certificate-00> > - https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w/edit?usp=sharing <https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w/edit?usp=sharing> > > At a high level, these documents have several issues to be worked through: > > 1) The intent is for this to be globally accessible to any domain owner, but the current mechanisms are more approachable to larger organizations in first world countries > a) We need a discussion of what other validation mechanisms could work at scale (our expectation is to have several, signposted weakly in the draft) > b) We need a way to properly reflect this in the proposed a= tag > > 2) BIMI is NOT a new authentication mechanism, nor does it make ANY claims about user security or trust in the inbox. However, in places this draft may be unclear. How do we make this clearer while still explaining why standardizing this process is important, without crossing the line into UX or trust, of which BIMI is neither? > > 3) Right now, security surrounding logos is limited to SVGs per https://tools.ietf.org/html/rfc6170#section-5.2 <https://tools.ietf.org/html/rfc6170#section-5.2>. There's clearly more that's needed here, especially against attacks that rely on steganography or resizing vectors, etc. > > 4) Other nits for draft-blank-ietf-bimi: > > a) The structure needs work, as do the Introduction and Overview > b) Some of the technical construction feels like it could be dramatically simplified > c) Section 8.2 mentions hashes with no definition or clarity > d) The uses of MTA, MUA, and Mail Receiver feel like they overlap each other left and right > i) And the document is heavily focused on larger receivers where this distinction is clear, but doesn't give any thought to other receiving architectures at all, especially mail clients that are the entire stack > > Several authors of these documents will be in Prague, we're looking forward to the conversations over the next few weeks and face to face! > > Seth > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> > Date: Wed, Feb 6, 2019 at 11:11 AM > Subject: New Version Notification for draft-blank-ietf-bimi-00.txt > > > A new version of I-D, draft-blank-ietf-bimi-00.txt > has been successfully submitted by Seth Blank and posted to the > IETF repository. > > Name: draft-blank-ietf-bimi > Revision: 00 > Title: Brand Indicators for Message Identification (BIMI) > Document date: 2019-02-06 > Group: Individual Submission > Pages: 26 > URL: https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt <https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt> > Status: https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/ <https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/> > Htmlized: https://tools.ietf.org/html/draft-blank-ietf-bimi-00 <https://tools.ietf.org/html/draft-blank-ietf-bimi-00> > Htmlized: https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi <https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi> > > > Abstract: > Brand Indicators for Message Identification (BIMI) permits Domain > Owners to coordinate with Mail User Agents (MUAs) to display brand- > specific Indicators next to properly authenticated messages. There > are two aspects of BIMI coordination: a scalable mechanism for Domain > Owners to publish their desired indicators, and a mechanism for Mail > Transfer Agents (MTAs) to verify the authenticity of the indicator. > This document specifies how Domain Owners communicate their desired > indicators through the BIMI assertion record in DNS and how that > record is to be handled by MTAs and MUAs. The domain verification > mechanism and extensions for other mail protocols (IMAP, etc.) are > specified in separate documents. MUAs and mail-receiving > organizations are free to define their own policies for indicator > display that makes use or not of BIMI data as they see fit. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>. > > The IETF Secretariat > > -- > bimi mailing list > bimi@ietf.org > https://www.ietf.org/mailman/listinfo/bimi