IETF Logo Mail Archive

Re: [Bimi] Proposal to Clarify Role of MUA in BIMI Evaluation

Todd Herr <todd.herr@valimail.com> Tue, 19 July 2022 19:30 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18270C13C518 for <bimi@ietfa.amsl.com>; Tue, 19 Jul 2022 12:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iFmZvn5BYTyy for <bimi@ietfa.amsl.com>; Tue, 19 Jul 2022 12:30:32 -0700 (PDT)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 273FFC14F74F for <bimi@ietf.org>; Tue, 19 Jul 2022 12:30:32 -0700 (PDT)
Received: by mail-yb1-xb34.google.com with SMTP id r3so28368326ybr.6 for <bimi@ietf.org>; Tue, 19 Jul 2022 12:30:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=piI+QaPtfc/XN0raByoq9wVAmYqw8iA8tIqgiUyJUnM=; b=ccejckNg8OuaC1zGd65L/o0ziN61sxkBqkTKf++YWH7yCGwLVKydgUBEucsnEls8H0 sL/FlbNlOfDuZiQe3TBl9vVL6BeMy9ST8bKH9cFzpOpbpm4aK8+qKyOvoXVhrbUYuvLi y2KJpx7zAlD0xwP2Qq9BoYyUGZ2FMtEThAhUnLxGt9s2ZhTNvWvf2ufRjzILQPdzgkTl 7lZcB3SHQ8jGSjEBychCa/iHlx2enAvR/N0xK3tLahBhtVhSQqnjn4viG86rXRIT9/8Y O5V+UIqQZKbZszjYy/6ugnLJ8dzAPZ73mqjbTTpwMylUDNHkf6smvUJRjMV05ESTAFWR Wiyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=piI+QaPtfc/XN0raByoq9wVAmYqw8iA8tIqgiUyJUnM=; b=PJA55CQZxNc430e3eIzmTYkpmVB5AIp/vI47FvvR+71ONunIOB6y+s1Igx8B7xiCfq K/fZjpLq1nCG8Hd0GTSXyM3EvdaQpogmjjkXb0br9PE9yTflIXNFbJGLAkov+hF4ZmrN kS3GHLPCNFt4NaySLH6wwsikjzWH2wA0M23XTEYqCWNuJO954YrIHy2QvruTI2bA/oMB 60w7+h5q3MEFZVH62EM8Zq6bvlTU6QWYA8Z66mD+U4JTqYTxOszi05SfV/E6m2vfDkYH DcdWqJxcN59RIN9LloeVrRq5gaMNT0kaEcnH34nnM1e81qlqTH4Ch4jth4g9xGVTbaE0 XB6w==
X-Gm-Message-State: AJIora+kuxdDu5blrOR4eiz6g4hpCeSiK2eENcy2en87Tzu9CeTSh99t kuHpOAJ4jSAovDegP3x57VZjhRX5/xg7X8sjd/7z/tv/P5YAng==
X-Google-Smtp-Source: AGRyM1vKqKKNVggLsrvQWhl32Y9XfrkqzAKb97qsF8X3zVexliLd1vZ2yDq6MO5f6h10YSlbM1c5pm3USnHkAfEPptk=
X-Received: by 2002:a25:23d3:0:b0:66f:259c:11d3 with SMTP id j202-20020a2523d3000000b0066f259c11d3mr33225832ybj.141.1658259030893; Tue, 19 Jul 2022 12:30:30 -0700 (PDT)
MIME-Version: 1.0
References: <DE61AC51-4BC3-44FF-862D-7D8ADFB3BC29@proofpoint.com> <20CBD506-7E50-4161-ADE6-64614630B1B2@proofpoint.com> <CAHej_8kridbc322MDRpxfgd+8Y2yNacxTAtvr+HF=+wevdRQhw@mail.gmail.com> <VI1PR01MB70538965904FD08A49F75C37C78C9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <11A2B052-A26C-4A9C-9D88-72B594DA1C59@proofpoint.com> <VI1PR01MB70537BA29DA1F456B858C17FC78C9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <6993E8B6-11A0-4AF3-A94E-044F880E56BC@proofpoint.com> <CAHej_8kjwtGE4rDrXfTpgThOD-jh7t0GK9EUnVjVZT_OJzzsvg@mail.gmail.com> <VI1PR01MB705353E36328899609DE2471C78C9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <12a85dfe-664f-d757-0fa2-81f17c8088c2@dcrocker.net> <4e9ab94e-8675-df70-3e4b-00edcedb266e@dcrocker.net> <5DE65D46-853F-4F61-ADA7-20CB5E7E6840@kitterman.com> <7f030278-3f9b-c8ea-f9eb-644f006cded9@dcrocker.net> <CC11EF68-1E27-41CD-AE2D-AC26DA261EAD@kitterman.com> <CAHej_8mNCTw0LpnWTBCpqZJhHQcDgrsC4truK1dD_-HbyVgsWA@mail.gmail.com> <90369013-6a44-0b6f-4345-53595695de30@dcrocker.net>
In-Reply-To: <90369013-6a44-0b6f-4345-53595695de30@dcrocker.net>
From: Todd Herr <todd.herr@valimail.com>
Date: Tue, 19 Jul 2022 15:30:14 -0400
Message-ID: <CAHej_8ksVcBZwMzNgzS6P6txJo42u36FD5W0-9dMt=DE6sYRUA@mail.gmail.com>
To: dcrocker@bbiw.net
Cc: bimi@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007b7c5405e42d8498"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/8B1HhHCwkqozROBmZ40p7jYotL8>
Subject: Re: [Bimi] Proposal to Clarify Role of MUA in BIMI Evaluation
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 19:30:36 -0000

On Tue, Jul 19, 2022 at 3:20 PM Dave Crocker <dhc@dcrocker.net> wrote:

> On 7/19/2022 12:14 PM, Todd Herr wrote:
> > To me, BIMI's reliance on DMARC passing (and being at something other
> > than p=none) means that the condition at time of message receipt is
> > the only one that matters.
>
> So if the message is displayed much later, and the BIMI certification
> has become invalid, it is ok to still display the mark that was
> associated at the original time of validation?
>

One of the bits of information available to be included in the recorded
results is policy.authority-uri, which would be the URI of the evidence
document checked at the time of the message receipt, so I would expect an
MUA to know that the certification is now invalid.

Note also that BIMI certification is not currently a universal concept for
MBPs that support BIMI. Gmail requires them (in the form of VMCs) but Yahoo
does not.

Now, let me turn your question on its head...

If the consensus lands on the idea of the MUA doing its own checks, how
would the MUA answer these questions:

   - What was the DMARC policy for the RFC5322.From domain at the time the
   message was sent?
   - What was the SPF record for the RFC5321.MailFrom domain at the time
   the message was sent?
   - Did a BIMI Assertion Record exist for the domain at the time the
   message was sent?

Put another way, is it ok to display the mark for the message now even if
it wasn't when it was received or even if it wasn't because BIMI didn't
exist for the domain at the time the message was received?

-- 

*Todd Herr * | Technical Director, Standards and Ecosystem
*e:* todd.herr@valimail.com
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email