Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2
Trent Adams <tadams@proofpoint.com> Mon, 02 August 2021 18:23 UTC
Return-Path: <tadams@proofpoint.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C28F53A1462; Mon, 2 Aug 2021 11:23:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.597
X-Spam-Level:
X-Spam-Status: No, score=-1.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=proofpoint.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QPEhpEKpsWV3; Mon, 2 Aug 2021 11:23:21 -0700 (PDT)
Received: from mx0b-00148503.pphosted.com (mx0b-00148503.pphosted.com [148.163.159.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50D903A145B; Mon, 2 Aug 2021 11:23:17 -0700 (PDT)
Received: from pps.filterd (m0162102.ppops.net [127.0.0.1]) by mx0b-00148503.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 172HfDEM032236; Mon, 2 Aug 2021 11:23:17 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proofpoint.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=corp-2019-08-07; bh=OHIl7a5rU2theUWBBSRoqW1fyH0ou0ZHvRzny7oy+T0=; b=a/n71B9hjbouLgIEEHFg7BqxF/hWqCJU+s1jzxqo9dJUmPobPJwaa+RL4UX9EFzHxZJm oYA8xxa6EENM02CMd7ropK63kaLY9lFAAcEN8hU2J9zBMDBePW/rDIRRkI+v2oR3e6/o MPKvHVJ8Ajc6I//MpFpwb8rGVfcwDdKOjDpkXGZyk3AyLlFEBUD1IVp6eetamH7X8g+/ Vxj8HTQqYSglmVL2iJBSfuXRyjySZPFA7PBcKT7IzCpXFNbOsa1W6x6hHjcD037XHIOu IjIuGjFqDxk1VDx72qu+F6/9xUzhJmPH2cjD+B9vblmyaLqGlnXeYmI/RpQbD6I87psd Lg==
Received: from lv-exch03.corp.proofpoint.com (spf-mailers.proofpoint.com [136.179.16.100]) by mx0b-00148503.pphosted.com (PPS) with ESMTPS id 3a5pe40msn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 02 Aug 2021 11:23:16 -0700
Received: from lv-exch02.corp.proofpoint.com (10.94.30.38) by lv-exch03.corp.proofpoint.com (10.19.10.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2176.2; Mon, 2 Aug 2021 11:23:15 -0700
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (10.19.16.20) by lv-exch02.corp.proofpoint.com (10.94.30.38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2176.2 via Frontend Transport; Mon, 2 Aug 2021 11:23:15 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gvYTqcN38b8Siq/81Cpq309fbVk9aTonlJZg1uv6xRUsBr+9oN4IzqN8HqQdz1XBWiR33NeSN+13PyXT8wcMwkTC6fincyBSgRT2TUQ4vHhNtM5glxRqe42WhWHxexyj7tPLDhmFV97iGREs4mOgPXaKDh4tELHdopTqRG0IZuMxtp50ZHVhdgGvA8l2laBCqBJ1C2zRKNcz4Jfe0YjLx5AiXExuq0xTtJUbMea/9VO4lC+B79Bu0OdZ+sKBN7W/UvNYgTcQI/KXQ/hQbfWb4DTZnITbr0/n0ESn1trEngxzw5kLyVf+uPN+c4GHDbFYLbtYK/ecgL5zpEsnHFiFPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OHIl7a5rU2theUWBBSRoqW1fyH0ou0ZHvRzny7oy+T0=; b=atP8qbEC4R86D9zO+PubVIKP3dVUHFmMd405WyH0vlpIhVzoMQrtEWSrTsfjrt+8+zctk8xz0roOEyjuflU2x/pgqXhRvslfmBdHTQeA9w5xiXafdDm/FeIoQosS0jPcKEKsJfzL0l50+C5NTlCMpl7lItaXo72Xx7Hlnil1cuPFJR8CbnTiP+6fBiNmiWnq+LqH3H3+JAEP93fhOPyy881NyCFh4JhBHjRhUBV9fmhKEVV6S/wBhlM5bZq9C12xBjp9evv00Z0PNLier27TRI1E8wHB7OaiX7vaajXygkPJ3FAPAWr+bnSrXdWIusnTtL/qaEYLw1AdQaS40CQnUA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=proofpoint.com; dmarc=pass action=none header.from=proofpoint.com; dkim=pass header.d=proofpoint.com; arc=none
Received: from CY4PR12MB1782.namprd12.prod.outlook.com (2603:10b6:903:123::21) by CY4PR1201MB2502.namprd12.prod.outlook.com (2603:10b6:903:da::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18; Mon, 2 Aug 2021 18:23:12 +0000
Received: from CY4PR12MB1782.namprd12.prod.outlook.com ([fe80::49c1:7b08:a7b6:df4]) by CY4PR12MB1782.namprd12.prod.outlook.com ([fe80::49c1:7b08:a7b6:df4%2]) with mapi id 15.20.4373.026; Mon, 2 Aug 2021 18:23:12 +0000
From: Trent Adams <tadams@proofpoint.com>
To: Jakub Olexa <jakub=40mailkit.com@dmarc.ietf.org>, "bimi@ietf.org" <bimi@ietf.org>
Thread-Topic: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2
Thread-Index: AQHXhR7q7l01xYwGUEGUJYscJEbAb6tbgLEAgAAYIYCAABvCAIAEc3+A
Date: Mon, 02 Aug 2021 18:23:12 +0000
Message-ID: <0CEA647E-58A4-44C8-B7ED-28E478F915C1@proofpoint.com>
References: <mailman.3635.1627587941.6855.bimi@ietf.org> <CAFLkOerrax+qYyaR_u1SJH6xQH_asxqbzd=rb4AWKwYudZodCw@mail.gmail.com> <MN2PR11MB435147F86056FB81D919657EF7EC9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAFLkOerqLfm8rqcCDOkrS=9S3XV41exDSOMB_zndYaC6NKuGSw@mail.gmail.com> <e735630f-c539-cc33-8ff4-4dfaf932917e@mailkit.com>
In-Reply-To: <e735630f-c539-cc33-8ff4-4dfaf932917e@mailkit.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.51.21071101
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=proofpoint.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e1c5ddcd-dd07-4e56-d234-08d955e2967c
x-ms-traffictypediagnostic: CY4PR1201MB2502:
x-microsoft-antispam-prvs: <CY4PR1201MB2502FC88D6597182511B2BA3B3EF9@CY4PR1201MB2502.namprd12.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YNi8EPtEPHTScUkY+i2Hv82ftoE87O85TfknwG/jff+Tdsn1oB6+UTfs+DRjiXUeMGqgl3obKehPy64GKmgqjjkxHhR95Xpza8PEnCEofyl2BqwkrVDF2Cxz1v5vhRd2/GRejyvqicT/a9KPzGKZbPxE4WnQUYotVvWJirn2HV2jp8SN9XGKtQFDC3VM9qlDgMqYD57HWMiOjM70F6E2csZdsU60kY+zrAsafTJCgd53OHsFK8ZHeOA+yILeySaHzW42n/XGoCNAhCyn4YtVso20+IjsSmn9ulSwdkajK0ranLkJrz1pu7qVJuDCSE/PuomLDD87wdBRSRpYZvrDMi4XfE7HtAP3G8cTOkm3KN5RETjqIojpxA1JEZiRIDME1gKCQsxjZ406lNaWi95iBrshiQWL1PRZz/LFtQX9Hq9CRqYPKWXB/A7uxGk+ywTOitBM4rojGUrC4TucBKKr40r0WyOQrWsiRmv32VsonjKzc0Awt+YVKTESnyiU4Wbqev1SHR9xw8MkzcPxXtERijnAci0RhiAXMEwlJ1qwkL7HLd5whQj8zHsl9Jg7gSu/cvGIdS5zaotAKcKsm8cYKS3aiY6SBbi2+EmcZX67/1a/CuB7OLv8p0JGaLJfhGcU/VUTembml1bPXcwBQotvUH8EvJEWXi0Sty6q57IkfZIHnJ9gujvL3q2YDyM86Y14ZG94CIACj6Qi2p/GGo84sw2jZjNSasdSsYKsNio9/+a9iN6nDbm4uYHjySl2niJAeArs8hJeM0go7xZqGm9tPA560izd9zWFCBknRMUr66W+lBK2tFBGFTPzy57JV+w5syhK+316Tg6MbwrY4bhvFJaDDten9Qg844N1KoJoveY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR12MB1782.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(38100700002)(76116006)(8676002)(33656002)(6512007)(8936002)(966005)(122000001)(64756008)(66946007)(166002)(66476007)(38070700005)(66446008)(66556008)(110136005)(30864003)(6486002)(6506007)(71200400001)(53546011)(83380400001)(5660300002)(316002)(36756003)(86362001)(508600001)(186003)(2906002)(2616005)(45980500001)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: svyu0C17M5DisR4C0FmFVoJWeTUDGVl1TSz67tUTXV91zX1G9Eqz5QqROTgEKh/TRdGWugq58Ibulc5MsSusXeHiRjuupuzeeqchqSwzM8p3A7OWZaHpA6eTSpUOBY8T/Lp0pUDK89+gno/29wdDCA5GiYKdQSUv/XM17kJbuDHNAY0blDXYDehtvOnQdajwXxcHBiESRcyEODAWf2o1AIXoOyHTtP8XC8ru3ISwC0VTfJceDb0BxVRCaBR5so0nc9avmlvheTkXHveeqkxpXh2CPX66gHj+igscoYY5v5r1BREd+K70CcNIQovXZNmNUJafdkO32AXDWFoebyBer1e387PMry0/2O4vxvYdoS7HElUozHQPjTB5mgAXy9bNCwK0tho8lax4qnccdYEHHI4Q+54WUw3MIBR1u/tjJNlRBUSFexlbj2oKxw29XFGwAaMLuGvVl8hFCDC+R5uC/HfQZtF1Nw7118NjtQTgvM/2lja3rMV0Swe7R+rtD+JYqZZi/QBKGaVr5dtUDDbIPZ1JqVH3pCDP+zr4q7XQJRs7lYRKOB0aAsXcR1dQbWZ2duIF3t3tO6VzkYmW1ZUacmQvQqD2sOFa5Nx8bqdx6JP1oIoYGA5M+44y6B/T5y62Zc+/OIefBD5FgHjIces3AdanhWBSAO9voLvPdAteT1iJz4Z+U0VxSTUMZhpvsLipPY8ETy3sDoV6Kz3IhN0DUieiBh3euhyTxFungZ56nq8cNsPQpFjHaCGxWJd2DjHdeVlGmX9a1TQ4bj+zfLhTVXXcL+5sEMOkd8u+s8qj3TwPzwgw+966veEj5Y7oH3LAaPHQuub/AtNMGWsSgFniZ6945/rTIkoD6u3jRM/xpANfqQNRqkfFgqsAdRr2JV0Mde6bwDOpo9I+dWzZqXGtpoYQXnCWg6fWy+inl8T18zNXzE5JIVXu0Bf+VYhar0S70JuhxRdYUD81MNaKBg/VTPjEor27hiBYMCFm9zQ3C1X4sK7Di3dkYKEPLd7R2EDQZq3zte1cyb08BTOzEqAjxHsG78pXw9vQNikK/uwCoFajSzCvs/5dT9UZBT/TznhgTwHND3U5AGR4IP7halVoUEW+RXl8Jh4+FNaElFQ+J+5PBUi/fpv88icdJQjmPlOUp13/w5rmoZrDvLZGYqJkb6BV6SSe6yoxMj0Wt5tS1swVK78M65oAocapZ2pqmiuEPlDUoK+3hwJrPSuS28SVNn6oZqGgiFTNypR2Ugt0dU3rYbtbw6D4RdD4hlO3/+LgvIAbgYoEFJHVbkaZdlnBktTO3fBAWJHB7CQPGYTV+UMemGUW2VEpXYkaKD1Li+7VInyal/iUb9Nq0B5bNfXv8FLyhP+yNH48p9JYNMXg4VjRjgetTmSHw8zatB+ONxQtHn97wcr/WEh0zgy8knI4qA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_0CEA647E58A444C8B7ED28E478F915C1proofpointcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY4PR12MB1782.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e1c5ddcd-dd07-4e56-d234-08d955e2967c
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2021 18:23:12.4228 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46785c73-1c32-414b-86bc-fae0377cab01
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: q8tnsjcEx3gz0stKURhkyx6mIY1U4q//4TAtd1T15/Dbawgr7w476iElupLqKKWfdlSQ+27DaOf7Yf1AxZcZQg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1201MB2502
X-OriginatorOrg: proofpoint.com
X-PassedThroughOnPremises: Yes
X-Proofpoint-GUID: IlTocyR4shQHHYr4o7qtKTxni9HEwgnF
X-Proofpoint-ORIG-GUID: IlTocyR4shQHHYr4o7qtKTxni9HEwgnF
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-08-02_07,2021-08-02_02,2020-04-07_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1011 mlxlogscore=999 bulkscore=0 spamscore=0 suspectscore=0 impostorscore=0 malwarescore=0 mlxscore=0 priorityscore=1501 adultscore=0 phishscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108020118
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/QQDoXSWggWkzOvVOdJ0USnQlycc>
Subject: Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 18:23:27 -0000
It looks like there are some confusing discrepancies between drafts that should be cleared up. 1. Section 8.3.1<https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi-01#section-8.3> of the current BIMI draft states that the receiver must retrieve the image referenced by the "l=" URL. 2. While Section 5.3.7<https://datatracker.ietf.org/doc/html/draft-fetch-validation-vmc-wchuang-00#section-5.3> of the "Fetch and Validation of Verified Mark Certificates" draft suggests that the receiver may retrieve the image from the URL referenced by the "l=" value, but it's not required in the presence of a VMC. IMO, if there's a VMC, then the "l=" value becomes nearly irrelevant for receivers that support VMCs. I'm not sure that they need to be compared, and doing so adds another resource burden to constrained devices. Either way... I filed a ticket in Trac to address the discrepancy: https://trac.ietf.org/trac/bimi/ticket/1 I'm not presupposing the outcome, just that this seems to be a gap that we should track to closure. - Trent From: bimi <bimi-bounces@ietf.org> on behalf of Jakub Olexa <jakub=40mailkit.com@dmarc.ietf.org> Organization: Mailkit Date: Friday, July 30, 2021 at 10:25 AM To: "bimi@ietf.org" <bimi@ietf.org> Subject: Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Hi Marcel, i'm missing the check for the SVG logo. Do you intend to fully rely on VMC itself? I believe I have raised this topic before but if not - not checking that the SVG stored in VMC matches the logo in l= brings potential risks and most imporantly allows for misaligned logos across services. Allowing brands to create BIMI records that would return different logos in l= and a= could result in bad user experience and even VMC abuse. fetching the l= logo should not be an option but mandatory and the draft is clear on the fact that it's required. At least that's how I read the assertion discovery part and I believe that it makes no sense to permit different logo in l= and a= and not checking for the alignment of the 2 logos could lead to abuse. If the retrieved Assertion Record does not include a valid bimi- location in the l= tag, then Indicator Discovery has failed, and the Indicator MUST NOT be displayed. The bimi-location entry MUST be a URI with a HTTPS transport. Jakub Olexa Founder & CEO E-mail: jakub@mailkit.com<mailto:jakub@mailkit.com> Tel: +420 777 744 440<tel:+420777744440> Mailkit - Closing the circle between Deliverability and Engagement<https://urldefense.com/v3/__https:/www.mailkit.com__;!!ORgEfCBsr282Fw!7guWVIyRhK3AVNvpeJbyToUgPc-zWtX4Th5Ki1AdPdAOG5Bs2qsYJdcme1vCJ33C$> On 30.07.2021 16:45, Marcel Bokhorst wrote: I understood that always "xfinity.com<https://urldefense.com/v3/__http:/xfinity.com__;!!ORgEfCBsr282Fw!7guWVIyRhK3AVNvpeJbyToUgPc-zWtX4Th5Ki1AdPdAOG5Bs2qsYJdcme-YoZfZB$>" should be checked and never subdomains like "emails.xfinity.com<https://urldefense.com/v3/__http:/emails.xfinity.com__;!!ORgEfCBsr282Fw!7guWVIyRhK3AVNvpeJbyToUgPc-zWtX4Th5Ki1AdPdAOG5Bs2qsYJdcmeyuiZBVt$>". Am I wrong? "Everything checks out" means: * The VMC could be downloaded from location referenced in the BIMI TXT record * The certificate chain up to a known CA certificate is valid * The certificate is of the right type (BIMI) * The DNS name of the certificate matches the domain name of the sender and of the BIMI DNS record * A logo is present and could be extracted from the certificate * The Authentication-Results header says "pass" for DKIM, SPF and DMARC * The DMARC DNS record policy is "reject" or "quarantine" Op vr 30 jul. 2021 om 15:19 schreef Brotman, Alex <Alex_Brotman@comcast.com<mailto:Alex_Brotman@comcast.com>>: Consider “emails.xfinity.com<https://urldefense.com/v3/__http:/emails.xfinity.com__;!!ORgEfCBsr282Fw!7guWVIyRhK3AVNvpeJbyToUgPc-zWtX4Th5Ki1AdPdAOG5Bs2qsYJdcmeyuiZBVt$>”. We didn’t want BIMI on “xfinity.com<https://urldefense.com/v3/__http:/xfinity.com__;!!ORgEfCBsr282Fw!7guWVIyRhK3AVNvpeJbyToUgPc-zWtX4Th5Ki1AdPdAOG5Bs2qsYJdcme-YoZfZB$>”, but just that sub-domain (for now). There is no BIMI record at “xfinity.com<https://urldefense.com/v3/__http:/xfinity.com__;!!ORgEfCBsr282Fw!7guWVIyRhK3AVNvpeJbyToUgPc-zWtX4Th5Ki1AdPdAOG5Bs2qsYJdcme-YoZfZB$>”, though it does exist at “emails.xfinity.com<https://urldefense.com/v3/__http:/emails.xfinity.com__;!!ORgEfCBsr282Fw!7guWVIyRhK3AVNvpeJbyToUgPc-zWtX4Th5Ki1AdPdAOG5Bs2qsYJdcmeyuiZBVt$>”. I believe this is covered in the drafts. The flag could be nice, but again, that only covers IMAP. What about POP (or MAPI) users? The cryptographic solution may be more intensive, but seems like it may make BIMI more available (but yes, at the expense of mobile CPU). Could you elaborate on the “everything checks out” from your section about evaluation? -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From: bimi <bimi-bounces@ietf.org<mailto:bimi-bounces@ietf.org>> On Behalf Of Marcel Bokhorst Sent: Friday, July 30, 2021 3:57 AM To: bimi@ietf.org<mailto:bimi@ietf.org> Subject: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 FairEmail will not rely on the BIMI-Location header because this requires support from the email server. Instead, FairEmail will use the logo in the VMC and fallback to the DNS record logo location if needed (logo missing in the VMC, etc). The logo will always be shown, but the verified sender icon (a double check mark before the sender's name) will be shown only when everything checks out. I think it would be a good idea to summarize the steps to follow to fetch/decode/check BIMI because I think it will make it easier for developers to implement BIMI and to do this in the right way. The BIMI TXT record is always being fetched from the top level domain (example.org<https://urldefense.com/v3/__http:/example.org__;!!CQl3mcHX2A!QOleDIsQOkjN3HXlKrItrq62gf5-G3hak8l7aDR3RAX6gQqWqTVXcLfIwcPA3DMVHSX2WGk$>). I hope this is correct. An IMAP flag would be nice, but I guess it will take quite some time until all email servers are supporting this. Something like a signed authentication results header would be nice, as long as it can be checked in a simple and efficient way. For example heavy cryptographic operations and looking up DNS records (for certificates, etc) would result in slow downs and increased battery usage when downloading many messages. Currently, the authentication header inserted by the email server is just being trusted, but this relies on either inserting the header by the receiving email server or removing previous headers of intermediate email servers. FairEmail will cache the logo for two weeks, which is the same as for favicons. IMHO this is a reasonable default, preventing logos from being fetched too often and still allowing to change the logo by the sender (which I guess won't happen too often). I hope this clarifies things, else feel free to reply. Marcel Bokhorst (author of FairEmail) ---------- Forwarded message ---------- From: "Brotman, Alex" <Alex_Brotman@comcast.com<mailto:Alex_Brotman@comcast.com>> To: Trent Adams <tadams=40proofpoint.com@dmarc.ietf.org<mailto:40proofpoint.com@dmarc.ietf.org>>, "bimi@ietf.org<mailto:bimi@ietf.org>" <bimi@ietf.org<mailto:bimi@ietf.org>> Cc: Bcc: Date: Thu, 29 Jul 2021 19:45:04 +0000 Subject: Re: [Bimi] Independent BIMI-capable Email Client I do have that app, but I haven’t yet pointed it at a platform utilizing BIMI. I’ll make a note to give it a try. From below: * They aren't entirely clear on how (or why) to evaluate a logo referenced by the BIMI record and the one retrieved from a VMC. What about the BIMI-Location header instance, if present? (assuming you want to trust that header, etc). After that, I’d probably use the VMC if present. Should we add an evaluation path to the core document? * It's also not all that clear where to retrieve the BIMI logo when the email is sent from a subdomain, and match that up with the DMARC results. I’m not sure I follow the issue here. Is there some example that shows the questionable path? * There's also the question about whether or not an independent client can/should trust the authentication results performed by the mailbox provider when deciding to display the BIMI logo. If you go back to -00 of the core spec, there was an IMAP flag that was meant to be set (Section 8.6). That was removed in -01. I don’t recall the justification, but may have had to do with MUA workload. Seems like the IMAP flag could be reintroduced (POP3 would be an issue though). Or perhaps something akin to a DKIM signature signed by the inbound MTA that could be verified by the MUA. The latter could potentially be reused though? * There is a non-zero addition of processing required by the client to handle BIMI, leading to the question about what impact this may have on a client... and what efficiencies can be introduced with local caching (if any). I’d think at least equivalent to the TTL of the BIMI DNS record, perhaps even up to the expiration of the VMC (though I could understand where a domain holder could refresh their VMC and change logos, etc). I’m sure there’s a better answer somewhere in between. -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From: bimi <bimi-bounces@ietf.org<mailto:bimi-bounces@ietf.org>> On Behalf Of Trent Adams Sent: Friday, July 23, 2021 5:36 PM To: bimi@ietf.org<mailto:bimi@ietf.org> Subject: [Bimi] Independent BIMI-capable Email Client Since Gmail's announcement, more companies are starting to play around with BIMI (no surprise there). And, as expected, the increased attention is helping to put more eyeballs on the experiment. And while some of the major mailbox providers are adding BIMI support to their own mobile clients, I ran into a FOSS project run by a developer in the Netherlands who has already added BIMI to their independent mobile mail client. If you get a chance, I'd suggest taking a look at their FairEmail implementation as they made some interesting choices: https://email.faircode.eu/<https://urldefense.com/v3/__https:/email.faircode.eu/__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfdsADeC4$> The current Android client package can be downloaded from their GitHub repository: https://github.com/M66B/FairEmail/releases<https://urldefense.com/v3/__https:/github.com/M66B/FairEmail/releases__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHf2gwnAj4$> So far, they've already found some useful results from their experiment. And now we're finally at a point where we can test the architecture (and pressure-test the specifications) beyond the handful of usual suspects. For example, here're a few issues this work as already surfaced when interpreting the specifications [1] [2] [3]: * They aren't entirely clear on how (or why) to evaluate a logo referenced by the BIMI record and the one retrieved from a VMC. * It's also not all that clear where to retrieve the BIMI logo when the email is sent from a subdomain, and match that up with the DMARC results. * There's also the question about whether or not an independent client can/should trust the authentication results performed by the mailbox provider when deciding to display the BIMI logo. * There is a non-zero addition of processing required by the client to handle BIMI, leading to the question about what impact this may have on a client... and what efficiencies can be introduced with local caching (if any). What I found most interesting was how the specifications assume a tight coupling between the client and the mailbox provider. It definitely opens the question of whether it's possible (or recommended) for an independent client to support BIMI even for email received by mailbox providers that don't support it. It's real-world interop testing like this that I hope will highlight issues that need to be discussed as the experiment continues. Also, if anyone would be willing to test the FairEmail client, I'd be keen to hear if you think that the way it leverages BIMI matches your expectations. Also, are there any others out there that might contribute their learnings to the conversation? Anyway, thanks for any feedback you may have. It'll be useful to hash out ideas for improvements and next steps on the list. Cheers, Trent [1] https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi-02<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-blank-ietf-bimi-02__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfVUyABq4$> [2] https://datatracker.ietf.org/doc/html/draft-fetch-validation-vmc-wchuang-00<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-fetch-validation-vmc-wchuang-00__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfIMZn7Z8$> [3] https://datatracker.ietf.org/doc/html/draft-brotman-ietf-bimi-guidance-03<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-brotman-ietf-bimi-guidance-03__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfQyodXbk$> -- J. Trent Adams Director, Ecosystem Security Proofpoint tadams@proofpoint.com<mailto:tadams@proofpoint.com> bimi mailing list bimi@ietf.org<mailto:bimi@ietf.org> https://www.ietf.org/mailman/listinfo/bimi<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/bimi__;!!CQl3mcHX2A!QOleDIsQOkjN3HXlKrItrq62gf5-G3hak8l7aDR3RAX6gQqWqTVXcLfIwcPA3DMVB8lC6MU$>
- [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marcel Bokhorst
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Brotman, Alex
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marcel Bokhorst
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Todd Herr
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marcel Bokhorst
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Jakub Olexa
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Trent Adams
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marc Bradshaw
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Dave Crocker
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marcel Bokhorst
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marc Bradshaw
- Re: [Bimi] bimi logos from non-giant companies John Levine