IETF Logo Mail Archive

Re: [Bimi] MUA Evaluation of BIMI

Dave Crocker <dcrocker@bbiw.net> Mon, 14 March 2022 17:58 UTC

Return-Path: <dcrocker@bbiw.net>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 276BD3A0E82 for <bimi@ietfa.amsl.com>; Mon, 14 Mar 2022 10:58:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bbiw.net header.b=aAw2OA9o; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=DSv44p0E
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUBBCYIE01v7 for <bimi@ietfa.amsl.com>; Mon, 14 Mar 2022 10:58:01 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA413A0F05 for <bimi@ietf.org>; Mon, 14 Mar 2022 10:58:01 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 7806C3200B25; Mon, 14 Mar 2022 13:57:58 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Mon, 14 Mar 2022 13:57:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbiw.net; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; bh=329iduyN8ADAmS Q3FOWW6b/mBtkrI+WjU5exwYZE6fs=; b=aAw2OA9oPFksXRtMc0q1tE2qAeER3X jhs0z/OjxdtoGxT0my/eaoAA1Ahb5bLhrEgNZiLo+Pao7jYVXEmHsG0p20gPg0CN 6qdSWUN9YT1L3funFN+TZs+JO5jysbcCjTehtSrLsFwMvVXOEYEG/WmzYpmUlK8s W4VWx6hoRbLc0UvtEZ7iNQFEPRZ7P315SOhFdXT1KTbGPogpxvipOeT4stwUOk+S GxnbG3FitybGIpW/BY801oVxdLAN1ekazxvb9L3h3iE+A6y7asQFOXz1IeYq3O4Z iMY/cZnbs0lvvv/CqTXDh61Fw4cL6O03/1tOdox2FiQlazjyVA4G8DQg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=329iduyN8ADAmSQ3FOWW6b/mBtkrI+WjU5exwYZE6 fs=; b=DSv44p0EcLYMNh+X5a3tMrmzeXFtS7S0nz3chc1VhaGTHZke7J3BTo5KO kdmSd6zYcJy3wgr7qCCRZ5ckOsQT7Lx06mZVuH2oJuUwp0TixW8e6F9WNwsGLkBT SmhnrejPfukA2YDPsmELQ2yYSGbhM7MhRTUZVyh361qbtmsIshCFmz+UsdqBE6YG mZGnJG7O/ftpWwAdOMyj5libk8UkuroZOg8Hmk+5ZSiCUomgugsjz4fG9rX0iHmf st5ZmRhgHtcxTVsbnzFNxyZUmWOq7iVL7WewCb4pEDdeeiSQKNIM4evXwRvCfiMU zAqJHVOCRhTg0RzWPUyVolAaIHIXA==
X-ME-Sender: <xms:JYIvYm-eh08yWYjen2CGab61mFwYRKI2TRnN66thhhorzQ-Nr4xdvg> <xme:JYIvYmtLYE3gy5w06pvduoZQhwEBzCj1oN4vht5XeQklpUlXdM0rmd9kMc64-r5xQ 73uD87wJjQBQzmhAQ>
X-ME-Received: <xmr:JYIvYsCWxr2RFOmsVEnLo-JzvGxxuCbC4aisoJowLHHIclqo2KaOoakkOpMxKOLNt28PlnRJFYXwRFRnhQzKg6iU530_Jy3B7a-bq38M>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddruddvkedguddthecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfuvfhfhfhojggtgfesthejredttdefjeenucfhrhhomhepffgr vhgvucevrhhotghkvghruceouggtrhhotghkvghrsegssghifidrnhgvtheqnecuggftrf grthhtvghrnhepheejuefguefgveeutdffkeeifeeuveetfffgfefgvdekveetvdfggeej tdeigfevnecuffhomhgrihhnpegssghifidrnhgvthenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegutghrohgtkhgvrhessggsihifrdhnvght
X-ME-Proxy: <xmx:JYIvYucb4vZ1XpT3H05hmCUYgN2Ds9pOER2q0mk8TYwnZsuvxEmXVA> <xmx:JYIvYrMvj4qObqiyRIVXbqL5Bc9AZ_7WOkRFpM5baoe4K7jTUCWIHg> <xmx:JYIvYom9vFeznHqwD7IQBmxPY3htH3p-1xVmbb7Y73tPAUPtBEvb8g> <xmx:JoIvYh0dNN-MOlUUdTST58V3t6Z0eOi8IjBseeBj89a8tPqGG29SGA>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 14 Mar 2022 13:57:57 -0400 (EDT)
Message-ID: <10612abb-18c3-5dec-9e27-a149abb8a4d7@bbiw.net>
Date: Mon, 14 Mar 2022 10:57:53 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: Ken O'Driscoll <ken=40wemonitoremail.com@dmarc.ietf.org>, Trent Adams <tadams@proofpoint.com>
Cc: "bimi@ietf.org" <bimi@ietf.org>
References: <7639D8E5-B8CA-48E6-B6F3-63BA091C3AC5@contoso.com> <VI1PR01MB7053B6AF625A5FFB2222F795C70F9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <82f4775e-faab-b081-9502-523bd056e9e3@dcrocker.net> <VI1PR01MB70536AF84304760C18708416C70F9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com>
From: Dave Crocker <dcrocker@bbiw.net>
Organization: Brandenburg InternetWorking
In-Reply-To: <VI1PR01MB70536AF84304760C18708416C70F9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/Bh3RkXrcXnG1jfaQIOXtO0uREzQ>
Subject: Re: [Bimi] MUA Evaluation of BIMI
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2022 17:58:07 -0000

On 3/14/2022 9:27 AM, Ken O'Driscoll wrote:
> If people begin to see value in supporting BIMI at the MUA level, then they will do so with or without the endorsement of the specification. However, if the spec. clearly articulates implementation considerations and risks, then it can only be a good thing.


I'd class it more than merely a Good Thing.

Given that BIMI relies on underlying, security-related protocols, and 
BIMI itself makes validation efforts, I'd class a serious risk, threat, 
etc. analysis -- and guidance -- to be essential, professional due 
diligence.

It's not just that people 'might choose' to do a particular 
configuration, it's that the nature of the service is end-to-end and all 
of the mechanisms can easily be placed in those end points.  So when 
someone puts an essential component somewhere else, THAT is when there 
should be concern.

In other words, BIMI (and DMARC with DKIM) all work perfectly well in 
the MUA.  So should BIMI.  And when a component is placed elsewhere -- 
as is both reasonable and likely -- then it needs to be accounted for 
during design and specification, not later when it finally starts 
getting deployed.

d/


-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email