IETF Logo Mail Archive

Re: [Bimi] BIMI & the MUA

"Brotman, Alex" <Alex_Brotman@comcast.com> Thu, 07 September 2023 00:13 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23E55C15155A; Wed, 6 Sep 2023 17:13:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b="lEl8kK1e"; dkim=pass (1024-bit key) header.d=comcastcorp.onmicrosoft.com header.b="XEZh/Z4U"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WkSoSyeP6BCP; Wed, 6 Sep 2023 17:13:37 -0700 (PDT)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D18A1C151097; Wed, 6 Sep 2023 17:13:33 -0700 (PDT)
Received: from pps.filterd (m0184894.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3870DRK6025077; Wed, 6 Sep 2023 20:13:33 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=20190412; bh=EyGmcNQ4c3sRx/ggu5kY7jXB+ws2RluhJj9Nri5AiW8=; b=lEl8kK1ewBYsQHQbdeiXfKZZNLxGC0/GzvsJoghLAniHhodua3IWaqwgG9RFvCCHVBB1 /PC8jjRncc9nO2Sqros/SYhiun49/9wmzIoN9CfyFif3OFGEXMJVdpnzRxXC17tB3E3G 2QJUf5grMKvJRag5RSTamPbUTTzZvtS+EkZAG7JPNGGslDfBE2mXX5YDzcVno9UL5f2/ 9hV28d3Fsp66hrBAdT9VpUI1ejshwS2Nf/jp+TP66JeO0+noUrN3EBKf3DqCmIKkRwFr rsa14HKPaOwkCadS2FrbM0n2n8/nkFaJqiFyiCLFvQ+0CH7ORZQdyJriOKoHS/dYbKeY ug==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2041.outbound.protection.outlook.com [104.47.66.41]) by mx0a-00143702.pphosted.com (PPS) with ESMTPS id 3suxc211bn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 06 Sep 2023 20:13:33 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hsG92RQqJ32qzXpA3JItW2ZzuZWkyk0XIotUscck3O05uK22vl2MynfVJTLgY/XV9gKhuLaDF0HIIrSPt+1Ncw7nxyqIGTc0nwGGqTa3JIGx341hpIt003cBS7/LI92ny3QDg7+8S1tjc05M6oPAO4zUc80gbNvUhlkfha1U47PYHrLhWsS7+pREJ/jRfvm9qPMDbT78kLzjvzz58H2SQyn1qT2csXPB244Bju4NUFNLJ3H/drQgPn6hBuY3pXM8w1o1gzf1Ri63MZYbjbf2TwveY29ejZlYWKhJwTpK7Uaw0oswqZOvPv/7bjK4XfYEZjXDDGGcs5BtXktSXIjFGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EyGmcNQ4c3sRx/ggu5kY7jXB+ws2RluhJj9Nri5AiW8=; b=c+SFgcvUx5nVCDg7j4vwiQfPdlJYi34WPEn8/o1n7f4EEQgPqto4vb6sX3NapZm6BOcjyGwuvxG+eDonH1dLDpwRn4poHSMLLOQksETVZGn/9Cqp0BNJh/AxxZGkN/x/ePPNhtfgltIRm/5N8Y93xyyynbUIp3yPwPdpZBuooofwZgkQaCZusXfDGFX5xkj5Ah7MTv2Rjqu+YyJGmubF9+7JTlssvaDO+nc2iwnWNE7daRvxxWSv5Pv/AF+c0ih+1Vczj/NH186WvyiPjz0EGdTm49EF37745GzCSkF5WvRldkn/2uUUQ8JqKylP/CU6NmQxoirZPCF0Xyek0MCj/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector1-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EyGmcNQ4c3sRx/ggu5kY7jXB+ws2RluhJj9Nri5AiW8=; b=XEZh/Z4Usv5hlV5J0Za83mrly82IeAvOrIhv7wECpK9QExLzl4LAqOKfgFUVEtagzki0nJAGBC+vwPuggvRHsFPXQZfDzcAr/6mOemQOtZXIQZd/SjUMcDDMrTbs4jTCTAjfgq1cLDizz6aHq1eWnpn+5b6Lp2M9YevEqrPqZLo=
Received: from MN2PR11MB4351.namprd11.prod.outlook.com (2603:10b6:208:193::31) by SJ0PR11MB5645.namprd11.prod.outlook.com (2603:10b6:a03:3b9::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.34; Thu, 7 Sep 2023 00:13:28 +0000
Received: from MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::c8da:dddf:938f:4088]) by MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::c8da:dddf:938f:4088%4]) with mapi id 15.20.6745.030; Thu, 7 Sep 2023 00:13:28 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: Taavi Eomäe <taavi=40zone.ee@dmarc.ietf.org>, "bimi@ietf.org" <bimi@ietf.org>
Thread-Topic: [Bimi] BIMI & the MUA
Thread-Index: AdneajpKK5yvLb5mTdSDWbuK1bo72ABhTpGAAEujBKA=
Date: Thu, 07 Sep 2023 00:13:28 +0000
Message-ID: <MN2PR11MB43518ED6E51BD484B3342518F7EEA@MN2PR11MB4351.namprd11.prod.outlook.com>
References: <MN2PR11MB43512B68983A21E6B546E0BDF7EAA@MN2PR11MB4351.namprd11.prod.outlook.com> <5a3abe26-cb49-5350-0abd-a106125fb087@zone.ee>
In-Reply-To: <5a3abe26-cb49-5350-0abd-a106125fb087@zone.ee>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ActionId=22cb3be0-766d-4a4b-a3d8-bc23e1f914cf; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ContentBits=0; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Enabled=true; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Method=Standard; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Name=Confidential (C); MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SetDate=2023-09-06T23:58:15Z; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SiteId=906aefe9-76a7-4f65-b82d-5ec20775d5aa;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR11MB4351:EE_|SJ0PR11MB5645:EE_
x-ms-office365-filtering-correlation-id: 4fd3f9f3-fbb8-43f1-ce94-08dbaf37431a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7sJM3nB4ApI57IU5DkeFH3CCm5EQvnQdEEfPDaMVes/B/JglLn1e/uafFo57kzcn2xXYTzi4/EEootx5bDw4iMROOYaoDVXDx5giyryd9Qz0utcn06QnHVBDC/0tba5nQM+GSxwv0fsdAZRJ475y4FX2LvgZblL1L/gTs6rK2s1MP95ftLvuecwfOXO7aZsjV155Cl7PdEkxv+QtRh9DJ5pa/L1yzmX+K3hzbbNmaYdA10nfkN8HJj3vTcvQHyguXBLLeX7yOfhyVt+BpoUwB4c5qMbjW69yqfdg4lsc9Zgia1Hr6MmmEp2ZaNGkPL19grZrrHxcMCNNB7aZbP/jSyV7MCO6lrvj1ILmRu2eyTXr6cX/FF/Fo9ns+1Rv+2U4ttqWTtVgGBRaxVOVdNC7CFFXxIKKNFqD/zrpMHxu2moGpoXJhkea+1ITyUzQ5l9nobQbFQWeCUk9UoQYMrJXJrTuOadT1jkpqS7SCQST9VzJ/xRho+03SeVY3MLdXnwl3B2NmBOfwtVAGNECYNXmQXbZSD43YmgwlEgdHPpZ+BDBYW28/WWCqE9gvHeIwNODuJPXMVzch64UE7ccxYft4gyEij4Ed5mPozTQzLyAkZg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376002)(39860400002)(136003)(346002)(366004)(396003)(1800799009)(186009)(451199024)(71200400001)(6506007)(7696005)(53546011)(9686003)(478600001)(83380400001)(66574015)(2906002)(316002)(64756008)(66476007)(66946007)(110136005)(66556008)(41300700001)(76116006)(52536014)(5660300002)(66446008)(8676002)(8936002)(38070700005)(55016003)(86362001)(82960400001)(33656002)(166002)(38100700002)(122000001)(66899024); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: klTaKOhtWZCmUiMzMKbZzp0CpHFjFlnJ79nPoNniBr0VVHcI8nsaF9CG8CMFRy5EWaz0EUgoZekh0h+kUHXCk1koJ7zCLWtFI2lPPxEWeqUr9dTnxf1RKEsDwfHMKMMLzG4Z6iH8Fut3cxCn/cYruJXmVFxJVCnKaoUst+zp6lzOr7bmtMBAk2b3ZT1xGK9VHMvhm4KYBlEYhblzcYc9B7zR0xfekXg17XL1tRrranlRU6VmZRBZwNnwooJFVlMtkvdcw+FynTTbcBjhPAG4JZugUuk8IY/qBElh9pZTTmU4yuUubYtzBZOdumVlKXbGyFWoZOl/cL1JJ2FMKWtapAWHFDrClzsSleMZin/78rfvAimVm57+HEHZRJOb/+UXrc1kgLfVS5G2E8OmS7I7j3Ye6ykaqKXsZ1rTfhGVGEb0uMNKyqm73Vq1Ze2518QWbHXZuTb8lV8gxDqBl+B3qIhN10Np4YndFlvTTMuuyojSQBGi2tSLZGdCrTE6oFbT/Z3e2tnYxsxpEMOJJQ6tWeb4fbSpKx/B3f6W7Tj9unPPqxzw8P9sI3qbmXNag26JXXa4w5/PuLrt2em2OraMa5n8a9pOQhL/mRLg0DeOsQfRZIkQrPnVYglAnj5hq/0tHItxxXoP2bWvU+mu5hIYUfXzZSkIWf4pv8EJGLTfH/mJGTI1s9dbYN283SZI1XJOC/+NKAiI2bjJBL5O4lv6ERVW/sui3qEql1ozN1uYx4TNIMmnB+XewzKkFOadsNmipg0L9VLikZgdoFD5xS1ChJOOesygG92qWRhtfnmVyWRj8HODBucNtrgwcXJoD+YPQj0WwEz8AF5hIr39LkyS9LhN4TIBJ7XjOpjxSZ/smapw+dR766qrlzdLIBwZvSbD7V7t/fvTMpjUD1wU5Mg9e0iI4cJ4FhI+DLYpQscTaD9xK4mDoGj4t1vVn1OI33EOCKn5xSuCfqAQoFh11QlVvFs+zO0fTqWdxRZkB+xqlMkZ4qpY01LPFlTEBuGYjBwGULjgAb2wGPkmee43DLzlMBWM15vjS6Z8uk2q7A7h9g42U4pagdPrhzmxZxo7PcwLdmVXvVjrU2vwb26NxrtyxI8PIg8y8xJ7ITIq4voAnOx9C3agFMZGbNno26cCtVDjOo9r3x6cebvtMy0FpImcLXcPI/CBkdR0IblJ8enU/XOBB6CtlAIBtuqLCJdnS4Ri0BnBM+fF959o/ndvA0UpNjgnNEkIAlS4fbYRpL1H44ftrsFKKt/IGRusLsTSnM6D/6Ly8Hh4ihouiiVZbE/uAnmmyJ1tvYRoyx5sqqqXdBBnBV/IT7GOpDCwDRfwze6HcE5HqQ3mLHwUIwu0FAxdNxDN06kx9RWPwJ3ex7pc9mMZUowU9l+6oTjEJMwCSdcvdJGwzBn6tapiV51go7KsGq0mOPFeYE9gAk2s4d9YN4UjteqxKhAntlDlEq2bO6JBwm8tZGfmZIRm1RRXcZMPmLgWEEBO+/M9KUdhtY53xZJfp7Gu7ILljxVQQ3f1IvVgJImoekbsB7F+S6iDRcOk+3UZxSBpmkSCfzH8XgN8hD2cLOnaHqhbZm6RaOLxJhrcwvNYUJ0gZ7T0KUD7bZEgJjYspfHUzgVj8aOJ+Mofsvr8qZTYgyXNjBTebyvAWl6j+ItmChwKC2RlFFjBDQe8mw==
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB43518ED6E51BD484B3342518F7EEAMN2PR11MB4351namp_"
MIME-Version: 1.0
X-OriginatorOrg: comcast.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4351.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4fd3f9f3-fbb8-43f1-ce94-08dbaf37431a
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2023 00:13:28.6836 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lL9MA89HEP0gHw0XxlV4Ksa/M5zrGTuDJpgjkFgSuai79OIlbOH6aw4IaFTIF9Mqz9DSxBhtlcP5XvVzktehHrfHb/IqmlgRXMfovu3K6Io=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5645
X-Proofpoint-GUID: AX_2bWKtRKY_70gZFianLBFwluiVJBfh
X-Proofpoint-ORIG-GUID: AX_2bWKtRKY_70gZFianLBFwluiVJBfh
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-09-06_06,2023-09-05_01,2023-05-22_02
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/DduPbA3eCDzN59mID8C-KNeXKo8>
Subject: Re: [Bimi] BIMI & the MUA
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2023 00:13:41 -0000

Taavi,

I agree, it is complex. However, with some of the goals being that the MBP may wish to revoke previous authorization and the MUA being able to rely on the data on the message, that shouldn’t be surprising.

As to relying on the “Authentication-Results” header, the MUA cannot rely on that presence of that alone.  The MUA must be able to be sure that the MBP that received the message is the entity that placed the A-R header into the message.  If a MBP does not utilize BIMI (or maybe even DMARC), they may not remove an pre-existing header that a malicious sender has inserted.  If the MUA finds that header, it could attempt to use it.   So, maybe the MBP signs the A-R header, and that’s sufficient for that part of the requirement.

Perhaps the document needs some additional “rationale” sections to better illustrate why it was being done this way.

Thanks for the feedback

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: bimi <bimi-bounces@ietf.org> On Behalf Of Taavi Eomäe
Sent: Tuesday, September 5, 2023 7:53 AM
To: bimi@ietf.org
Subject: Re: [Bimi] BIMI & the MUA


Hi,

The draft RFC (draft-brotman-bimi-mua-00) seems to add a very significant amount of complexity to the BIMI process with no clear benefit.

This additional complexity can introduce vulnerabilities, implementation inconsistencies and would cause additional resource usage in both MTAs and MUAs. If it is implemented at all, considering the complexity.

Using DNS as a key-value store is also quite wasteful (especially with DNSSEC) if not simply abuse or misuse of DNS. Such DNS usage also introduces additional risks, especially if you take into account how rare (O)DoH(3) or DoT is.

Inherently the MUA has to trust that the MTA that received the letter. Thus simply looking at Authentication-Results and if it contains "bimi=pass", should be sufficient for the MUA.

The VMC itself contains expiration, if that's important to the MUA. If there is a need for faster revocation, looking into OCSP would be a better choice.

If one of the goals is to further cache logos (and to increase privacy), instead of the massive "BIMI-Receiver-Signature" header, the logo's base64 could be added for the MUA. For example "BIMI-Logo".

It should be noted that we (Zone Media OÜ) are maintaining and developing a web-based MUA that currently supports BIMI<https://bimigroup.org/bimi-infographic/>. (In addition to our own MTA and MSA.) Alternative approaches should be heavily considered instead of this draft RFC.



Best Regards,
Taavi Eomäe
Zone Media OÜ

v2.23.0 | Report a Bug | By Email