Re: [Bimi] SVG P/S Feedback
Jakub Olexa <jakub@mailkit.com> Fri, 28 August 2020 16:36 UTC
Return-Path: <jakub@mailkit.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33E613A0DEE for <bimi@ietfa.amsl.com>; Fri, 28 Aug 2020 09:36:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mailkit.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swUIeACtFWze for <bimi@ietfa.amsl.com>; Fri, 28 Aug 2020 09:36:15 -0700 (PDT)
Received: from mail.mailkit.eu (mail.mailkit.eu [185.136.200.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A602E3A0DEC for <bimi@ietf.org>; Fri, 28 Aug 2020 09:36:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.mailkit.eu (Postfix) with ESMTP id 401962034B for <bimi@ietf.org>; Fri, 28 Aug 2020 18:36:12 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mailkit.eu
Received: from mail.mailkit.eu ([127.0.0.1]) by localhost (mail.mailkit.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVoNIPkS67GF for <bimi@ietf.org>; Fri, 28 Aug 2020 18:36:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailkit.com; s=mk-1; t=1598632569; bh=VurKbX5rXfUuwHGGtNMj2Yh7xDdaDLuOg6S9Xe9bXX4=; h=Subject:To:References:From:Date:In-Reply-To; b=MxgjXwwdfHNtkAYyXj9hbFt1z1m54JrNjB2Ig1E7txIGQClia+A44eguvmSrJbk68 9HZV6FRZCC5lbSm+Zq1sA2LesRe1IN87woYrSwGDI4johNtuNqhFcdpfruUV0Hop7O AoRR5EngaUD4NE4vdzWDhRpt1KybMg3lkfGbkdCzVtIZUGkgQtFlMqISnwFoYvrVGl bDSRk+FVd7sm7nB54USqwOxNZSaBNjQn9M+OtElLu11wG04ykFUwcNXtoVxNhzO6Bq bq4pFkBjLpvSWtUifeehfYOG/51UDMnih1sqWNIWzyi0qAu2yAgSYVd1O5kNWmSET0 SeVyMhpBjnPQA==
To: bimi@ietf.org
References: <MN2PR11MB4351CC443B406196C3953D1BF7520@MN2PR11MB4351.namprd11.prod.outlook.com>
From: Jakub Olexa <jakub@mailkit.com>
Autocrypt: addr=jakub@mailkit.com; prefer-encrypt=mutual; keydata= mDMEXoNhzxYJKwYBBAHaRw8BAQdAcf+9+b1WQWtIPl3ctFIsgSMlcIg280i9LbBqGhs3OzO0 H0pha3ViIE9sZXhhIDxqYWt1YkBtYWlsa2l0LmNvbT6IlgQTFggAPhYhBIRoyA5jDjO9a5m2 XyDuz15MJDsTBQJeg2HPAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJECDu z15MJDsTNMMBAIhso+DBzcAOHlaVJAO7rs/28005pU7tU0K6rUwPpI3bAQD1bQq/0XEldv8H xyYJ5Y7eA/4PnKc9xcaH0vkPwijFBbg4BF6DYc8SCisGAQQBl1UBBQEBB0D5YB8IZiXra1r8 L9xf7iLQntdGvbIgzaZjsAa5Z2PcAgMBCAeIfgQYFggAJhYhBIRoyA5jDjO9a5m2XyDuz15M JDsTBQJeg2HPAhsMBQkJZgGAAAoJECDuz15MJDsTgjABAJD1mAUTsfYMHzs4/odB4c5q6N5Z 7NmtsAgJQblhnwWHAQCb6RG5MpQQPiJywzVWX27o4L5MNIs9sB+QlSdJ0dCBDw==
Organization: Mailkit
Message-ID: <49146e6a-e9cf-2649-0e57-8e0ea8ccf92d@mailkit.com>
Date: Fri, 28 Aug 2020 18:36:09 +0200
MIME-Version: 1.0
In-Reply-To: <MN2PR11MB4351CC443B406196C3953D1BF7520@MN2PR11MB4351.namprd11.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------D2003CAC62650A2542B48F86"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/RNJpNWr6dIg_ZXOKrkwjKVadJWI>
Subject: Re: [Bimi] SVG P/S Feedback
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 16:36:17 -0000
Hi, I consider text and font elements as potentionally abuseable especially in context of use of the SVG Tiny P/S for BIMI logos. Text - a brand logo should always have the text converted to curves as that is the only way to make sure it will be represented as it should. It could lead to minor rendering differences that could lead to brand complaints. Fonts - increases the SVG file size. When I tested this the results were abysmal - essentially most of the exports resulted in massive files - 4 glyphs up to 8kb SVG, all glyphs of a single font easily in 200kb+... and most importantly they did not render correctly under chrome, IE or FF but Times is being used instead. This brings in the abuse vector - I could create an SVG with custom glyphs that will result in a completely different output if rendered correctly (using the glyphs). Essentially I could have an SVG that reads "Hello" in Chrome, IE, FF and most rendering engines while resulting in a logo of a bank in a rendering engine with more advanced support of glyphs. This could lead to logos being rendered not only incorrectly using incorrect typeface but more importanlty logos that may render a completely different content in specific engines. This is bad user experience and could make brand managers resent BIMI. It's better to keep it simple and restrict these elements rather than getting surprising results in the output in my opinion. Jakub Olexa Founder & CEO E-mail: jakub@mailkit.com <mailto:jakub@mailkit.com> Tel: +420 777 744 440 <tel:+420777744440> Mailkit - Closing the circle between Deliverability and Engagement <https://www.mailkit.com> On 28.8.2020 14:57, Brotman, Alex wrote: > Hello, > > [Apologies for the cross-posting] > > As part of a separate project, we wanted to create a smaller SVG profile[1]. It is based on SVG Tiny 1.2, with several components removed. The goal is to try to keep the document self-contained, remove animations, and generally more portable and secure (hence P/S). Personally, I've been curious if we should be trying to create a new baseProfile as we've specified, given that it may behoove a developer to only target this subset of Tiny features, reducing footprint and attack surface. We also welcome feedback about the text and font elements that we've permitted in the draft, and their security implications. > > We thank you for any advice or feedback you can provide. > > [1] https://datatracker.ietf.org/doc/draft-svg-tiny-ps-abrotman/ > > -- > Alex Brotman > Sr. Engineer, Anti-Abuse & Messaging Policy > Comcast >
- [Bimi] SVG P/S Feedback Brotman, Alex
- Re: [Bimi] [rfc-i] SVG P/S Feedback Leonard Rosenthol
- Re: [Bimi] SVG P/S Feedback Jakub Olexa
- Re: [Bimi] [rfc-i] SVG P/S Feedback Brian E Carpenter
- Re: [Bimi] [rfc-i] SVG P/S Feedback Larry Masinter
- Re: [Bimi] [rfc-i] SVG P/S Feedback Brian E Carpenter
- Re: [Bimi] [rfc-i] SVG P/S Feedback Leonard Rosenthol
- Re: [Bimi] [rfc-i] SVG P/S Feedback Brian E Carpenter
- Re: [Bimi] [rfc-i] SVG P/S Feedback Leonard Rosenthol
- Re: [Bimi] [rfc-i] SVG P/S Feedback Larry Masinter
- Re: [Bimi] [rfc-i] SVG P/S Feedback Brian E Carpenter
- Re: [Bimi] [rfc-i] SVG P/S Feedback Martin J. Dürst
- Re: [Bimi] [rfc-i] SVG P/S Feedback Brian E Carpenter
- Re: [Bimi] [rfc-i] SVG P/S Feedback Brotman, Alex
- Re: [Bimi] [rfc-i] SVG P/S Feedback Brotman, Alex
- Re: [Bimi] [rfc-i] SVG P/S Feedback Leonard Rosenthol
- Re: [Bimi] [rfc-i] SVG P/S Feedback John Levine
- Re: [Bimi] [EXTERNAL]Re: [rfc-i] SVG P/S Feedback Kirk Hall
- Re: [Bimi] [rfc-i] SVG P/S Feedback Phillip Hallam-Baker