Re: [Bimi] MUA Evaluation of BIMI
Ken O'Driscoll <ken@wemonitoremail.com> Mon, 14 March 2022 15:39 UTC
Return-Path: <ken@wemonitoremail.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC6A3A0A42 for <bimi@ietfa.amsl.com>; Mon, 14 Mar 2022 08:39:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wemonitoremail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RObUfnr0Mg5x for <bimi@ietfa.amsl.com>; Mon, 14 Mar 2022 08:39:26 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0728.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::728]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 925A23A09CF for <bimi@ietf.org>; Mon, 14 Mar 2022 08:39:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E7Ci3w3LY7XWJR7U5U/X/fHjCBcN5AMBfqrdWEJSnA+vo78OviPDpZ/VX4sihYDb4MHfR4n+thE0uUNm+buH6jtLlSJM0+yzRKOI1VUa5AzK07vm0Va6r3oddIqIoGyoEBLuRc3to5BbxirwXf9M/aUmQiPffvqaFT2+DjiVLhf9RgxhJZTGZiQAmdXSoRIyyjw5iJTcqjH3J3/MYR2jQGwXSD1jRS7fuA1UTEgyatnossFtrKYIWSEtQV10tzRrj67Qh+BXWSQfCRyFYRxK8KOQU+gTt+Bd2dS1lU+lq7Dlnr8wDc7Aze0THavHVDOOcXHaIhf/HI+RkBcYsdo6zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CT2A3f9CtECKt2NurIuhopUqGYGIMaOIn1B69IQKGLU=; b=ZL8mCuMUPwt2ZFw1fYjLQn5IzizeabLtHthGg3jw9HOZ+kblJ/8KZLdLSDZ70nWCfahEZ3K/M9/1J/iGYmuUHAB35elg0ogGm1JxsYTbNwc5zcjd+0vGJUpZx4IKCqr80mBCyGfwDQY6O6NMx+gynZZ4e493bhixrXRRFvbheO+iOXTT76MDiniC6WIj/sgJnULFDdqvA8KulGautOsYVZ+lfXUHdkQkNLDVgOJU39NPOcfBRtbpO+9pZNHgXVDLNgZzVjnCvkAAo9NH0TF1uJZ9zcOXo5iHW0feqKA6kTQKl9AqkZlRIazgKbhc5HMvOa8ohZ7PXDhug9GXWgheJQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wemonitoremail.com; dmarc=pass action=none header.from=wemonitoremail.com; dkim=pass header.d=wemonitoremail.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemonitoremail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CT2A3f9CtECKt2NurIuhopUqGYGIMaOIn1B69IQKGLU=; b=VPLN8bu5MEZI0bjQo5aZp6M+81W5CMjhfm1kbkP3nBm6Ej+N+WW4AIt+0dc+AqJFHhn7CE1YCnEJdoowjQ1cZ2zimEaoAKrFcKie1+60sqVmhvNZAk8EriuUG6G2FE+4rfhpvkX8ufh+7K0J6cqnRgzyO2+cSGOcC7xs1AJrN+NokYLAdSlzj1aFXbbK0GLt2p4ImjMzfqcYGXZurN9cNjcZ7IwH5NVXfxHkNMU7OKxvJu0QbijR20BwOal426b4IZl39q1kmxaIBWYFCYf9ByuqDGQmTGui72T3AAHVjQtrjHybJs0UzP62KZS48aiSJHpTOrXYb/xv/Zo8xktnIA==
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com (2603:10a6:800:19a::9) by VI1PR01MB4590.eurprd01.prod.exchangelabs.com (2603:10a6:803:a1::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5061.26; Mon, 14 Mar 2022 15:39:18 +0000
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::a049:e870:2872:dbd3]) by VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::a049:e870:2872:dbd3%7]) with mapi id 15.20.5061.028; Mon, 14 Mar 2022 15:39:17 +0000
From: Ken O'Driscoll <ken@wemonitoremail.com>
To: Trent Adams <tadams=40proofpoint.com@dmarc.ietf.org>
CC: "bimi@ietf.org" <bimi@ietf.org>
Thread-Topic: MUA Evaluation of BIMI
Thread-Index: AQHYNakS7cBGBKKcikGTe1q57Bj1Vqy/BUng
Date: Mon, 14 Mar 2022 15:39:17 +0000
Message-ID: <VI1PR01MB7053B6AF625A5FFB2222F795C70F9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com>
References: <7639D8E5-B8CA-48E6-B6F3-63BA091C3AC5@contoso.com>
In-Reply-To: <7639D8E5-B8CA-48E6-B6F3-63BA091C3AC5@contoso.com>
Accept-Language: en-IE, en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=wemonitoremail.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3caeb202-0a81-4d11-9a44-08da05d0cd2a
x-ms-traffictypediagnostic: VI1PR01MB4590:EE_
x-microsoft-antispam-prvs: <VI1PR01MB45906AE79E47479BAF31FD33C70F9@VI1PR01MB4590.eurprd01.prod.exchangelabs.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uwa2hn3rhDc2fR9SMon0Icy/C9Ridu7+TtPRbhCurgGOoZkdXNY7cX4r61S0KxysgKBY8SkUQPoQZEPukffp34GFdBCADGK8sjVkVMQ9PQOLyjp54oufc0e8PrVBtWisAkvnidKxFvX5BxDr4/WAOocWt2mm4SP5q3K+azZ8y5N4X8/3vuwMI8YQMnXLK/gPgGGMLPtJY0VaDV/RswlNr2AoEgcDYnljWNoQY7CTGAHrIR8PJdYhvWd6uQfTzGrQ1S+XA2QFAmV4eHxvjY7XmN4tMrzvxs1h9ccvP+td3M/Vekhgqyor+dt39KYX1FE/l26Tmcex/cR5AU13sQdn+7f+hfMOB2XItGCR+y42YifzUlLdJr3uNBnUnYCajT0vH815IXl0gnkoKQihyWbyJ+kKqQ5/nSLw+Drzf6JxaQCANmhkLBsVv83hYkfLP6oJf9POvzWFMJEmc1tGh+uwBZEE+ZTNBCqWJEGdclCV47+5NTl+xnQN/mZ4W9qp/ock2Fc7D9xaeqd6CDbboBsknTlUCQ6wJb3znyYjewOCTAvmeG+t8wAXzeyc5wxjlst0Zkk8Q6EJa44A2Slfkv/9U573cdQhd+t48V7RFXh7e1JF9cuHH8i/4HAeV9LBOdrSXr0sZeP5c1Vo8TtOPrJezfjBq0FSMJRQctPW3m/cQ3Vk6HxSbFRv1HxdEXbn2qUEaTQ+NtVc/vtPOlWuN3giq/MOUs3T0LhOSgXCuFcn7Ppe0kWB8CjFG5hbYijikQhzOSfsGSpUPYYe4mD8tImQmSJb/IAYoBHmHJ7jVWC/BuUHWO7QE2dsGH6/T9LLcM8z4gk28XX0tQ873j2skWAgXQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR01MB7053.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230001)(396003)(376002)(136003)(346002)(39830400003)(366004)(316002)(7696005)(83380400001)(5660300002)(71200400001)(3480700007)(45080400002)(53546011)(9686003)(6506007)(186003)(26005)(2906002)(8676002)(52536014)(4326008)(38070700005)(33656002)(508600001)(966005)(86362001)(8936002)(122000001)(166002)(55016003)(38100700002)(66556008)(66446008)(66476007)(76116006)(66946007)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BHJC8PGNeYCr60wKvkFKk4VCEHK4JASqWMMPnXOVymOkaifJRilR1biDoNC5sE8v4RMa+YU3mRT2KyMiuuxTDG0SI4DdIyXy8agsBWLuu17y2QQth/5CgGUQ/not9QPatxRsd8wv/I+AHahQVgX64rxa95E6JHORxwIHqoHXAWc3LPAqsbxZ7zV41eFbdf2Mpsv8Iykv4ONUfY8M6/usX/1M+gMcXbFTWNAxQhzw5ohcyFPgS5qLHQlfcpZ/6YjrOqkqTlk5RVvzvvEtYEu6heVLDeAA+USDJPVXklPXKgSJp+57LbhDvvL1LFsgQMWOy8SvYKIPZF/ANzoBbBE7TYeubRdV8nmg/IySKxBjAuhBD7VDlisjiVTTAt4lSkWjKS6T6fcRcRsUQXbNzEq+fyhAxMY3KQW1dVafCSXdeB7uCe35UsezgW46xScouMA2ABwAlKQwuKi5qbgNQN0h7QEil+/hFa6vw+r6s6AD3jySk3LOv6B8PLOQsm8gg9BnYarY3kfjQggsJ4s3uuaK3VWcLHa5QnJsjZUvzrrqCYgK9Uk0rXQodsrYip63t6V2EAsTJVI/O44tNgI4uE6Gz+pKWDjHHEHGSK5jBJ/oNEIX9Er+vGHkauQZzkLx56cVm6p0F0Gn3n9V3iT5SZVscWS9NMR0XHj5iuR47G0MZfkHIzNocfzUX5l+0ak+NG/3H2WyaIi3Dq8BXTLNOz8nVr518raNi6jYbsDY8GW3fl0CBBe7tdB7J5E1g1wYMP1Z7NJ3oepA/gQq0lR+zMVj5GapRx7GvEf1g+5FZK+/CsB+5iGVR8WFWR6HsVQM+1moowOyJsTFpbPTmnOHJoJlcUXs3+ePFOiExy9kbSjXcBUgtEOIO96vj4pqp0MnSo8mRV0D31SyfzGt3OU5p+ycZJckra5vlZSr4wSN2ZDnCvs4ICjSub8p0fX5EEN01kLYC4UcnDLLJA6yzMbquG7/xmb2QKQ67WtckmHKAhF++riEDFp1Nt+I1uyvHXytS9ms4V6Ct4hLeR+M9GxEASGZW1QcR3A84UoF5mXpuNVrrwkFWXC2Bdt53YpUcppemH8iP+LpHq+OHR3O2HiGHFliVQXspjQZaCRniKYAAIvOmAjJtFWIyquKEh0/fe75PVU87PVV7ZYuKw7pW9WpH6BMv2iPy3RYUPcGNfq8V8VFp75BqwRBl96fyqEM4t09EIvkotuJpPot4tQ5Ben2KEgDDCtNyDCj+AGFwi0J0O72EvC6seMvijulGTAtmswYrwjaUxTjgVFeTvr2/1ZOu3WaxnKghJqiv7tm/vJ2rfwhNobPuBPNJrqEmKG+lXz3YiW4zEaauTluebpRoYQE8oAyuhXfNIQ3EH4553OZdKEUwQ568zuKlDYEsXJGOpeF0fZoZV9+rouNpBjWdqczxzFc6wdNjBJaYB2D1si31Xa9Ujs28xKsSd7Gjsg6ZVn4h7/G
Content-Type: multipart/alternative; boundary="_000_VI1PR01MB7053B6AF625A5FFB2222F795C70F9VI1PR01MB7053eurp_"
MIME-Version: 1.0
X-OriginatorOrg: wemonitoremail.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR01MB7053.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3caeb202-0a81-4d11-9a44-08da05d0cd2a
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2022 15:39:17.8711 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a2b1d6fe-fc8b-4b7c-b9f1-d7b1ab3d23b3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PJ7WSFAbfpHyZDfEHP9GUdiYuC0slGCpTt6w8y/OxLQPtQtaeHmz0kiF0cjx32qfuQfftzdrm3E8vqIBPmB8LA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR01MB4590
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/PfJwWaNow_1UlmQ7o11nNiy5rhA>
Subject: Re: [Bimi] MUA Evaluation of BIMI
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2022 15:39:32 -0000
It’s really up to the user of the MUA to determine whether or not to trust upstream authentication headers. There are already plugins for the likes Roundcube and Thunderbird that are parsing the current AR headers. I think the specification would need to note the privacy considerations associated with independent MUA-level support for BIMI. Namely, the remote image loading will not be cached like it is with mailbox providers, so it could be abused to disclose when a recipient opens a message. Ken. From: bimi <bimi-bounces@ietf.org> On Behalf Of Trent Adams Sent: Saturday 12 March 2022 00:35 To: bimi@ietf.org Subject: [Bimi] MUA Evaluation of BIMI I'm looking for clarity about what folks think about whether or not MUAs alone can evaluate BIMI (or be discouraged from doing so). Either way… I think the next draft of the specification needs to be more clear (as its currently ambiguous). To provide context… most of the MUAs supporting BIMI today are operated by major mailbox providers that control their clients. That means that the MUAs (whether they're desktop, mobile, or web clients) are designed to inherently trust the MTAs validation of BIMI and the underlying AuthN requirements. So, this question is really more aimed at addressing the issues of "independent" MUAs (i.e. email clients that are developed by folks without ties to specific mailbox providers)… something like FairEmail<https://email.faircode.eu/>. On the one hand, it's the MTA that's performing the underlying validation required by BIMI (e.g. SPF, DKIM, and DMARC). And since the MUA may not have access to the necessary information in order to perform the validations (e.g. SPF), it relies upon the evaluation performed by the MTA. Without a close coupling between the evaluating MTA and the MUA… perhaps BIMI validation should be discouraged. On the other hand, even if an independent MUA doesn't have access to the initial conditions available to the MTA, there are signals they can use for BIMI. For example, perhaps they can forego SPF and only rely upon DKIM (which may survive all the way to the MUA). So, maybe there's a path there (albeit with diminished returns). So, that's what I'm wondering about… how can the next draft of the specification be improved to clarify whether MUAs can (or should not) implement BIMI. Thoughts? - Trent -- J. Trent Adams Director, Ecosystem Security Proofpoint tadams@proofpoint.com<mailto:tadams@proofpoint.com> https://www.linkedin.com/in/jtrentadams
- [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI Jakub Olexa
- Re: [Bimi] MUA Evaluation of BIMI John Levine
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Brotman, Alex
- Re: [Bimi] MUA Evaluation of BIMI Richard Clayton
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI Jakub Olexa
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI Stephen Farrell
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Brotman, Alex
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI John Levine
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI John R Levine
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Jakub Olexa
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams