IETF Logo Mail Archive

Re: [Bimi] MUA Evaluation of BIMI

Ken O'Driscoll <ken@wemonitoremail.com> Mon, 14 March 2022 15:39 UTC

Return-Path: <ken@wemonitoremail.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC6A3A0A42 for <bimi@ietfa.amsl.com>; Mon, 14 Mar 2022 08:39:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wemonitoremail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RObUfnr0Mg5x for <bimi@ietfa.amsl.com>; Mon, 14 Mar 2022 08:39:26 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0728.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::728]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 925A23A09CF for <bimi@ietf.org>; Mon, 14 Mar 2022 08:39:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E7Ci3w3LY7XWJR7U5U/X/fHjCBcN5AMBfqrdWEJSnA+vo78OviPDpZ/VX4sihYDb4MHfR4n+thE0uUNm+buH6jtLlSJM0+yzRKOI1VUa5AzK07vm0Va6r3oddIqIoGyoEBLuRc3to5BbxirwXf9M/aUmQiPffvqaFT2+DjiVLhf9RgxhJZTGZiQAmdXSoRIyyjw5iJTcqjH3J3/MYR2jQGwXSD1jRS7fuA1UTEgyatnossFtrKYIWSEtQV10tzRrj67Qh+BXWSQfCRyFYRxK8KOQU+gTt+Bd2dS1lU+lq7Dlnr8wDc7Aze0THavHVDOOcXHaIhf/HI+RkBcYsdo6zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CT2A3f9CtECKt2NurIuhopUqGYGIMaOIn1B69IQKGLU=; b=ZL8mCuMUPwt2ZFw1fYjLQn5IzizeabLtHthGg3jw9HOZ+kblJ/8KZLdLSDZ70nWCfahEZ3K/M9/1J/iGYmuUHAB35elg0ogGm1JxsYTbNwc5zcjd+0vGJUpZx4IKCqr80mBCyGfwDQY6O6NMx+gynZZ4e493bhixrXRRFvbheO+iOXTT76MDiniC6WIj/sgJnULFDdqvA8KulGautOsYVZ+lfXUHdkQkNLDVgOJU39NPOcfBRtbpO+9pZNHgXVDLNgZzVjnCvkAAo9NH0TF1uJZ9zcOXo5iHW0feqKA6kTQKl9AqkZlRIazgKbhc5HMvOa8ohZ7PXDhug9GXWgheJQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wemonitoremail.com; dmarc=pass action=none header.from=wemonitoremail.com; dkim=pass header.d=wemonitoremail.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemonitoremail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CT2A3f9CtECKt2NurIuhopUqGYGIMaOIn1B69IQKGLU=; b=VPLN8bu5MEZI0bjQo5aZp6M+81W5CMjhfm1kbkP3nBm6Ej+N+WW4AIt+0dc+AqJFHhn7CE1YCnEJdoowjQ1cZ2zimEaoAKrFcKie1+60sqVmhvNZAk8EriuUG6G2FE+4rfhpvkX8ufh+7K0J6cqnRgzyO2+cSGOcC7xs1AJrN+NokYLAdSlzj1aFXbbK0GLt2p4ImjMzfqcYGXZurN9cNjcZ7IwH5NVXfxHkNMU7OKxvJu0QbijR20BwOal426b4IZl39q1kmxaIBWYFCYf9ByuqDGQmTGui72T3AAHVjQtrjHybJs0UzP62KZS48aiSJHpTOrXYb/xv/Zo8xktnIA==
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com (2603:10a6:800:19a::9) by VI1PR01MB4590.eurprd01.prod.exchangelabs.com (2603:10a6:803:a1::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5061.26; Mon, 14 Mar 2022 15:39:18 +0000
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::a049:e870:2872:dbd3]) by VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::a049:e870:2872:dbd3%7]) with mapi id 15.20.5061.028; Mon, 14 Mar 2022 15:39:17 +0000
From: Ken O'Driscoll <ken@wemonitoremail.com>
To: Trent Adams <tadams=40proofpoint.com@dmarc.ietf.org>
CC: "bimi@ietf.org" <bimi@ietf.org>
Thread-Topic: MUA Evaluation of BIMI
Thread-Index: AQHYNakS7cBGBKKcikGTe1q57Bj1Vqy/BUng
Date: Mon, 14 Mar 2022 15:39:17 +0000
Message-ID: <VI1PR01MB7053B6AF625A5FFB2222F795C70F9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com>
References: <7639D8E5-B8CA-48E6-B6F3-63BA091C3AC5@contoso.com>
In-Reply-To: <7639D8E5-B8CA-48E6-B6F3-63BA091C3AC5@contoso.com>
Accept-Language: en-IE, en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=wemonitoremail.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3caeb202-0a81-4d11-9a44-08da05d0cd2a
x-ms-traffictypediagnostic: VI1PR01MB4590:EE_
x-microsoft-antispam-prvs: <VI1PR01MB45906AE79E47479BAF31FD33C70F9@VI1PR01MB4590.eurprd01.prod.exchangelabs.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uwa2hn3rhDc2fR9SMon0Icy/C9Ridu7+TtPRbhCurgGOoZkdXNY7cX4r61S0KxysgKBY8SkUQPoQZEPukffp34GFdBCADGK8sjVkVMQ9PQOLyjp54oufc0e8PrVBtWisAkvnidKxFvX5BxDr4/WAOocWt2mm4SP5q3K+azZ8y5N4X8/3vuwMI8YQMnXLK/gPgGGMLPtJY0VaDV/RswlNr2AoEgcDYnljWNoQY7CTGAHrIR8PJdYhvWd6uQfTzGrQ1S+XA2QFAmV4eHxvjY7XmN4tMrzvxs1h9ccvP+td3M/Vekhgqyor+dt39KYX1FE/l26Tmcex/cR5AU13sQdn+7f+hfMOB2XItGCR+y42YifzUlLdJr3uNBnUnYCajT0vH815IXl0gnkoKQihyWbyJ+kKqQ5/nSLw+Drzf6JxaQCANmhkLBsVv83hYkfLP6oJf9POvzWFMJEmc1tGh+uwBZEE+ZTNBCqWJEGdclCV47+5NTl+xnQN/mZ4W9qp/ock2Fc7D9xaeqd6CDbboBsknTlUCQ6wJb3znyYjewOCTAvmeG+t8wAXzeyc5wxjlst0Zkk8Q6EJa44A2Slfkv/9U573cdQhd+t48V7RFXh7e1JF9cuHH8i/4HAeV9LBOdrSXr0sZeP5c1Vo8TtOPrJezfjBq0FSMJRQctPW3m/cQ3Vk6HxSbFRv1HxdEXbn2qUEaTQ+NtVc/vtPOlWuN3giq/MOUs3T0LhOSgXCuFcn7Ppe0kWB8CjFG5hbYijikQhzOSfsGSpUPYYe4mD8tImQmSJb/IAYoBHmHJ7jVWC/BuUHWO7QE2dsGH6/T9LLcM8z4gk28XX0tQ873j2skWAgXQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR01MB7053.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230001)(396003)(376002)(136003)(346002)(39830400003)(366004)(316002)(7696005)(83380400001)(5660300002)(71200400001)(3480700007)(45080400002)(53546011)(9686003)(6506007)(186003)(26005)(2906002)(8676002)(52536014)(4326008)(38070700005)(33656002)(508600001)(966005)(86362001)(8936002)(122000001)(166002)(55016003)(38100700002)(66556008)(66446008)(66476007)(76116006)(66946007)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BHJC8PGNeYCr60wKvkFKk4VCEHK4JASqWMMPnXOVymOkaifJRilR1biDoNC5sE8v4RMa+YU3mRT2KyMiuuxTDG0SI4DdIyXy8agsBWLuu17y2QQth/5CgGUQ/not9QPatxRsd8wv/I+AHahQVgX64rxa95E6JHORxwIHqoHXAWc3LPAqsbxZ7zV41eFbdf2Mpsv8Iykv4ONUfY8M6/usX/1M+gMcXbFTWNAxQhzw5ohcyFPgS5qLHQlfcpZ/6YjrOqkqTlk5RVvzvvEtYEu6heVLDeAA+USDJPVXklPXKgSJp+57LbhDvvL1LFsgQMWOy8SvYKIPZF/ANzoBbBE7TYeubRdV8nmg/IySKxBjAuhBD7VDlisjiVTTAt4lSkWjKS6T6fcRcRsUQXbNzEq+fyhAxMY3KQW1dVafCSXdeB7uCe35UsezgW46xScouMA2ABwAlKQwuKi5qbgNQN0h7QEil+/hFa6vw+r6s6AD3jySk3LOv6B8PLOQsm8gg9BnYarY3kfjQggsJ4s3uuaK3VWcLHa5QnJsjZUvzrrqCYgK9Uk0rXQodsrYip63t6V2EAsTJVI/O44tNgI4uE6Gz+pKWDjHHEHGSK5jBJ/oNEIX9Er+vGHkauQZzkLx56cVm6p0F0Gn3n9V3iT5SZVscWS9NMR0XHj5iuR47G0MZfkHIzNocfzUX5l+0ak+NG/3H2WyaIi3Dq8BXTLNOz8nVr518raNi6jYbsDY8GW3fl0CBBe7tdB7J5E1g1wYMP1Z7NJ3oepA/gQq0lR+zMVj5GapRx7GvEf1g+5FZK+/CsB+5iGVR8WFWR6HsVQM+1moowOyJsTFpbPTmnOHJoJlcUXs3+ePFOiExy9kbSjXcBUgtEOIO96vj4pqp0MnSo8mRV0D31SyfzGt3OU5p+ycZJckra5vlZSr4wSN2ZDnCvs4ICjSub8p0fX5EEN01kLYC4UcnDLLJA6yzMbquG7/xmb2QKQ67WtckmHKAhF++riEDFp1Nt+I1uyvHXytS9ms4V6Ct4hLeR+M9GxEASGZW1QcR3A84UoF5mXpuNVrrwkFWXC2Bdt53YpUcppemH8iP+LpHq+OHR3O2HiGHFliVQXspjQZaCRniKYAAIvOmAjJtFWIyquKEh0/fe75PVU87PVV7ZYuKw7pW9WpH6BMv2iPy3RYUPcGNfq8V8VFp75BqwRBl96fyqEM4t09EIvkotuJpPot4tQ5Ben2KEgDDCtNyDCj+AGFwi0J0O72EvC6seMvijulGTAtmswYrwjaUxTjgVFeTvr2/1ZOu3WaxnKghJqiv7tm/vJ2rfwhNobPuBPNJrqEmKG+lXz3YiW4zEaauTluebpRoYQE8oAyuhXfNIQ3EH4553OZdKEUwQ568zuKlDYEsXJGOpeF0fZoZV9+rouNpBjWdqczxzFc6wdNjBJaYB2D1si31Xa9Ujs28xKsSd7Gjsg6ZVn4h7/G
Content-Type: multipart/alternative; boundary="_000_VI1PR01MB7053B6AF625A5FFB2222F795C70F9VI1PR01MB7053eurp_"
MIME-Version: 1.0
X-OriginatorOrg: wemonitoremail.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR01MB7053.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3caeb202-0a81-4d11-9a44-08da05d0cd2a
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2022 15:39:17.8711 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a2b1d6fe-fc8b-4b7c-b9f1-d7b1ab3d23b3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PJ7WSFAbfpHyZDfEHP9GUdiYuC0slGCpTt6w8y/OxLQPtQtaeHmz0kiF0cjx32qfuQfftzdrm3E8vqIBPmB8LA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR01MB4590
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/PfJwWaNow_1UlmQ7o11nNiy5rhA>
Subject: Re: [Bimi] MUA Evaluation of BIMI
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2022 15:39:32 -0000

It’s really up to the user of the MUA to determine whether or not to trust upstream authentication headers. There are already plugins for the likes Roundcube and Thunderbird that are parsing the current AR headers.

I think the specification would need to note the privacy considerations associated with independent MUA-level support for BIMI. Namely, the remote image loading will not be cached like it is with mailbox providers, so it could be abused to disclose when a recipient opens a message.

Ken.

From: bimi <bimi-bounces@ietf.org> On Behalf Of Trent Adams
Sent: Saturday 12 March 2022 00:35
To: bimi@ietf.org
Subject: [Bimi] MUA Evaluation of BIMI


I'm looking for clarity about what folks think about whether or not MUAs alone can evaluate BIMI (or be discouraged from doing so).  Either way… I think the next draft of the specification needs to be more clear (as its currently ambiguous).

To provide context… most of the MUAs supporting BIMI today are operated by major mailbox providers that control their clients.  That means that the MUAs (whether they're desktop, mobile, or web clients) are designed to inherently trust the MTAs validation of BIMI and the underlying AuthN requirements.  So, this question is really more aimed at addressing the issues of "independent" MUAs (i.e. email clients that are developed by folks without ties to specific mailbox providers)… something like FairEmail<https://email.faircode.eu/>.

On the one hand, it's the MTA that's performing the underlying validation required by BIMI (e.g. SPF, DKIM, and DMARC).  And since the MUA may not have access to the necessary information in order to perform the validations (e.g. SPF), it relies upon the evaluation performed by the MTA.  Without a close coupling between the evaluating MTA and the MUA… perhaps BIMI validation should be discouraged.

On the other hand, even if an independent MUA doesn't have access to the initial conditions available to the MTA, there are signals they can use for BIMI.  For example, perhaps they can forego SPF and only rely upon DKIM (which may survive all the way to the MUA).  So, maybe there's a path there (albeit with diminished returns).

So, that's what I'm wondering about… how can the next draft of the specification be improved to clarify whether MUAs can (or should not) implement BIMI.

Thoughts?

- Trent

--
J. Trent Adams
Director, Ecosystem Security
Proofpoint

tadams@proofpoint.com<mailto:tadams@proofpoint.com>
https://www.linkedin.com/in/jtrentadams

v2.23.0 | Report a Bug | By Email