Re: [Bimi] Thoughts about MUA/BIMI
Todd Herr <todd.herr@valimail.com> Thu, 11 August 2022 18:10 UTC
Return-Path: <todd.herr@valimail.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822FFC159487 for <bimi@ietfa.amsl.com>; Thu, 11 Aug 2022 11:10:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EN1DJGExc-3i for <bimi@ietfa.amsl.com>; Thu, 11 Aug 2022 11:10:09 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 889D5C157B48 for <bimi@ietf.org>; Thu, 11 Aug 2022 11:10:09 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id k12so29488326ybk.6 for <bimi@ietf.org>; Thu, 11 Aug 2022 11:10:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc; bh=bR5CBAYreQm1p3P0nlAdfje23XxofnpAg/dyTlYMZTk=; b=Uu/PcqCtGji0NSc6enDgkfWuJhsQWfWZ07UyttOj+vMVbOYFhFb8GbKEMbc6lrQSg6 UH54+GgNzswSoonh0F/htWzCC14A7vYzO0ziE2uXS7pWjyDIOKruthR+ybrxPEusEXYx dJMQXiDu9qmcfuOTyL39Ga4DhPF082E3bLR2dkF1pj/U7wtEWm+TQY4xPGtlVBTcw5pu i1yKZPG89EAzfjRFSCx7H7FuoWHStEaXxTNu2aWuotHzxInUhsk9MoBmk0K55quKiRe+ BSBK1ogt3TqIOVfFNj1Q07+3o5H5dDKf+5hmc5UN6UDfq0hOD4g2hrYyyhAw2u4DkZTM TnZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc; bh=bR5CBAYreQm1p3P0nlAdfje23XxofnpAg/dyTlYMZTk=; b=k6Jilkn0Jt8uXDfB7jBq/SvW1/EDzvgTQpIImbomXZgCtru4x0plzEDCM/l7/1tkkO dE+lHJS81yYqpMz0N1/EWdsN1ePZ7rVEAx9FdgqObldnKyje9THJU0IPufznj+Shop1Z hinQBtrTzyG0w5gT4Xz3Wzy6CrB+ai1DMC22lUSsnlY9Qnd6R3Xn79dtQOHrJ7MO5HHg 6mDBCqHcCUn3LW7Ku/nLU9U+HcuIywRSYEbNeoLm5JUPvakDId03KJSv2CzbVBzgaK7a aOu5Z8n9ZMmG9r8BwHLUmY8GFMVnXD+G8W/2R959ZK1XXLnuJ4WEvCi/Y5N3CW1KhARf ogYQ==
X-Gm-Message-State: ACgBeo2cKfCxl0HQIY4uBcprOyAlv6uosAreXpIpFumJKPCKdU+3j3/K nW/7TwzskYX5ifGNM76wGKAcvKKEO56sXZ+4loSkYtpXQ0w=
X-Google-Smtp-Source: AA6agR5jjW0ivMimIHoB0vPh2sKTUUxJZFkv5kZ6q4mC3v+SI/gvYs/7Fsmpz5cbF/3lrOM0CEZxBViwpIyxegSBp+A=
X-Received: by 2002:a25:e003:0:b0:67c:3387:ef2e with SMTP id x3-20020a25e003000000b0067c3387ef2emr509298ybg.226.1660241408251; Thu, 11 Aug 2022 11:10:08 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR11MB435138DB4A7161A506B8CD25F7649@MN2PR11MB4351.namprd11.prod.outlook.com> <CAHej_8=dJBgSqKaFuOoOs4mqwKUEHdwVthTn0CRx+=1O5gm2iQ@mail.gmail.com> <47678B48180D55E47891403F@PSB> <CAHej_8nf9sqp+56es3zsr9icpRnc8PwLBroxzHBzF5mXFhW_rA@mail.gmail.com>
In-Reply-To: <CAHej_8nf9sqp+56es3zsr9icpRnc8PwLBroxzHBzF5mXFhW_rA@mail.gmail.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Thu, 11 Aug 2022 14:09:52 -0400
Message-ID: <CAHej_8kiFW5eSb018vfeqmRSPv5NAtU0HEwJR7d-SyV91SL4UQ@mail.gmail.com>
To: "BIMI (IETF) (bimi@ietf.org)" <bimi@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000616c8405e5fb1391"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/OLQDEpT3WLm_yc2EziinlVQudmY>
Subject: Re: [Bimi] Thoughts about MUA/BIMI
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2022 18:10:13 -0000
On Thu, Aug 11, 2022 at 1:54 PM Todd Herr <todd.herr@valimail.com> wrote: > On Thu, Aug 11, 2022 at 1:03 PM John C Klensin <john-ietf@jck.com> wrote: > >> >> >> --On Thursday, August 11, 2022 10:38 -0400 Todd Herr >> <todd.herr=40valimail.com@dmarc.ietf.org> wrote: >> >> > On Thu, Aug 11, 2022 at 10:21 AM Brotman, Alex <Alex_Brotman= >> > 40comcast.com@dmarc.ietf.org> wrote: >> > >> >> In thinking more about the MUA proposal, we are trying to >> >> find a solution for the case where an unaffiliated[1] MUA >> >> would like to be able to either independently validate >> >> message authentication details (to support DMARC), or rely >> >> upon the validation process from the MBP. >> >> >> >> [snip] >> >> >> > >> > I've got a long-standing bias toward the idea that the only >> > authentication/validation results that matter are the ones >> > that were arrived at when the message was written to the >> > mailbox, because results can be different upon subsequent >> > checks, mainly due to potential differences in the >> > resolvability and content of the various DNS records retrieved >> > during the validation processes. >> >> I have the same bias, but it leads me to a different place. >> That, again, is to conclude that the BIMI data is content >> information, best expressed as a body part. Body parts, >> signatures over them, and other validation are far more stable >> than header fields and combinations of them. And, of course, >> they do not require interactions with DMARC at all. In >> addition, body parts generally survive message forwarding, which >> ought to be an advantage in this case. >> >> It is my understanding that mailbox providers, at least the larger ones, > are keen on seeing email authentication standards more widely adopted than > they are today, because authenticated mail is a much more stable anchor to > which to attach reputation for mail streams than other data points. Now, > they have a tool on their tool belt to make that happen, and they will > occasionally finger the holster holding that tool. It's a big old hammer, > and written on its handle is "No Auth, No Entry", and were they to > let loose the hammer on the world I suspect that they might get the > adoption rates they seek after some period of time has passed, but not > without quite a lot of pain in the interim, not just for senders but also > for the mailbox providers' users, who would miss out on some wanted mail. > > In the meantime, there is the concept of BIMI, the current intent of which > is to drive adoption of email authentication best practices. The idea > behind it is that if a domain owner does the work to get to a point where > it can publish a DMARC policy of p=reject or at least p=quarantine for both > its sending domain and its organizational domain, then it can possibly > enjoy the privilege of having its logo displayed with mail it sends to > participating mailbox providers, modulo whatever other requirements such a > mailbox provider might impose. > > Your implementation of BIMI data as a body part might well solve the > problem of communicating the BIMI logo information to the downstream MUA, > but if pushing DMARC adoption is to be a goal for BIMI, then we still have > to figure out how best for that unaffiliated MUA to determine whether the > underlying DMARC policy requirements are met before displaying the logo. > > And the more I think about this, I'm wondering if I'm overthinking it... If your proposal is that the BIMI data is only attached as a body part by the MBP if the DMARC/auth requirements were met at the time the message was accepted by the MBP, then I apologize for misunderstanding your proposal. That said, I still think we might have a trust issue for the unaffiliated MUA, since an abuser could theoretically attach a MIME part and run it through any MBP that's not participating in BIMI. -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* todd.herr@valimail.com *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [Bimi] Thoughts about MUA/BIMI Brotman, Alex
- Re: [Bimi] Thoughts about MUA/BIMI Todd Herr
- Re: [Bimi] Thoughts about MUA/BIMI John C Klensin
- Re: [Bimi] Thoughts about MUA/BIMI Todd Herr
- Re: [Bimi] Thoughts about MUA/BIMI Todd Herr
- [Bimi] Affiliation Bias (was: Re: Thoughts about … Dave Crocker
- [Bimi] Bimi Goals (was: Re: Thoughts about MUA/BI… Dave Crocker
- Re: [Bimi] Affiliation Bias (was: Re: Thoughts ab… Todd Herr
- Re: [Bimi] Affiliation Bias (was: Re: Thoughts ab… Dave Crocker
- Re: [Bimi] Bimi Goals (was: Re: Thoughts about MU… Brotman, Alex
- Re: [Bimi] Bimi Goals (was: Re: Thoughts about MU… John C Klensin
- Re: [Bimi] Bimi Goals (was: Re: Thoughts about MU… Brotman, Alex
- Re: [Bimi] Bimi Goals (was: Re: Thoughts about MU… John C Klensin
- Re: [Bimi] Bimi Goals (was: Re: Thoughts about MU… Dave Crocker
- Re: [Bimi] Bimi Goals (was: Re: Thoughts about MU… John C Klensin