IETF Logo Mail Archive

Re: [Bimi] Proposal to Clarify Role of MUA in BIMI Evaluation

Scott Kitterman <sklist@kitterman.com> Tue, 19 July 2022 18:07 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 028C2C15A732 for <bimi@ietfa.amsl.com>; Tue, 19 Jul 2022 11:07:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=DwJKBcL9; dkim=pass (2048-bit key) header.d=kitterman.com header.b=nTVoGoDi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iYg1LutNfQc for <bimi@ietfa.amsl.com>; Tue, 19 Jul 2022 11:06:54 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85C80C15A72C for <bimi@ietf.org>; Tue, 19 Jul 2022 11:06:54 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id A6F76F80311; Tue, 19 Jul 2022 14:06:50 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1658254010; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=uCG5E9FtoWEIqkjmB/EEXCG+VW/wIjAjshE6KN9SrKU=; b=DwJKBcL9h6Wfm5QYnw4NrxlJ05wS27FaHAbIa+TRVXb80jhni9mjeqtRhDnL2mQCy9unA 3D9yZS/DM30/vuPCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1658254010; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=uCG5E9FtoWEIqkjmB/EEXCG+VW/wIjAjshE6KN9SrKU=; b=nTVoGoDiVLqXjwokkq5qL7bvQu+Q3UQ3RPfXTHoRjk9bjsy6OfRDEKWQ30HTRXVPb/t7d NtUP6tCF+3Ya2aeOkXtliXun1PYZlcNMVdhmK58NUlEfmZleh8H5QCvttCCMIB16SmkucJ9 pEk8biWuvQn+PvCJiMwm0l/P48yYMm8sL15WPqpKhiOzW4AQL8tlQeZF/2mMICajKWrYGu+ wMct+BtRywZir9c3aXWDFIvxgyn65bnXb4zcK22EphfviV+6hFcaGj2Lvr0SDQelVuz5uDi P5EjFD69JwPKVaMyBftwi3Bgo4PNJrA9sXOZ70xUnfp2mA/A/66ppMpq0McQ==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 71713F801D6; Tue, 19 Jul 2022 14:06:50 -0400 (EDT)
Date: Tue, 19 Jul 2022 18:06:50 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: bimi@ietf.org
In-Reply-To: <7f030278-3f9b-c8ea-f9eb-644f006cded9@dcrocker.net>
References: <DE61AC51-4BC3-44FF-862D-7D8ADFB3BC29@proofpoint.com> <20CBD506-7E50-4161-ADE6-64614630B1B2@proofpoint.com> <CAHej_8kridbc322MDRpxfgd+8Y2yNacxTAtvr+HF=+wevdRQhw@mail.gmail.com> <VI1PR01MB70538965904FD08A49F75C37C78C9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <11A2B052-A26C-4A9C-9D88-72B594DA1C59@proofpoint.com> <VI1PR01MB70537BA29DA1F456B858C17FC78C9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <6993E8B6-11A0-4AF3-A94E-044F880E56BC@proofpoint.com> <CAHej_8kjwtGE4rDrXfTpgThOD-jh7t0GK9EUnVjVZT_OJzzsvg@mail.gmail.com> <VI1PR01MB705353E36328899609DE2471C78C9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <12a85dfe-664f-d757-0fa2-81f17c8088c2@dcrocker.net> <4e9ab94e-8675-df70-3e4b-00edcedb266e@dcrocker.net> <5DE65D46-853F-4F61-ADA7-20CB5E7E6840@kitterman.com> <7f030278-3f9b-c8ea-f9eb-644f006cded9@dcrocker.net>
Message-ID: <CC11EF68-1E27-41CD-AE2D-AC26DA261EAD@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/B4vVIJt6L3j0O56dRmoyHQW_nTM>
Subject: Re: [Bimi] Proposal to Clarify Role of MUA in BIMI Evaluation
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 18:07:00 -0000


On July 19, 2022 6:03:10 PM UTC, Dave Crocker <dhc@dcrocker.net> wrote:
>On 7/18/2022 2:13 PM, Scott Kitterman wrote:
>> Typically MUAs (standalone ones anyway) don't store the results of operations like DKIM verification.  They reparse the header and revalidate as needed when a user selects the mail.  While key management actions such as key rotation are formally outside the scope of RFC 6376, such things do happen and so the accuracy of time late verification does decline over time.  It might even be hazardous to attempt if the key size is small or the private key has been made available [1].
>On 7/18/2022 2:34 PM, Scott Kitterman wrote:
>> In theory DKIM can be (and has been) implementated in an MUA and it generally works reasonably well when a message is received, but AIUI (and maybe I don't) to be useful for Bimi such a verification would need to be reliable over time and I have yet to see it work that way despite it being (as you suggested) theoretically fine.
>> 
>> For something like Bimi to be a reliable indicator of anything, I think both theory and practice need to be considered (even though they're in theory the same).
>
>
>Considering your comments a bit further, it appears you are suggesting that BIMI does not need to validate at the time of display.

Maybe.  I won't claim to have been following the details closely enough to have an opinion.  For underlying authentication methods, such as DKIM, I think it's critical to evaluate them at the time of receipt and store the results.  That might also be true of Bimi, but I don't know.

Scott K

v2.23.0 | Report a Bug | By Email