Re: [Bimi] BIMI & the MUA
Marc Bradshaw <marc@marcbradshaw.net> Fri, 08 September 2023 00:30 UTC
Return-Path: <marc@marcbradshaw.net>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7365CC14CF15 for <bimi@ietfa.amsl.com>; Thu, 7 Sep 2023 17:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.692
X-Spam-Level:
X-Spam-Status: No, score=-5.692 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=marcbradshaw.net header.b="0GP9pMUy"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="gDVQf3fW"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7m0L9fUKW5S for <bimi@ietfa.amsl.com>; Thu, 7 Sep 2023 17:30:17 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32885C14CF1C for <bimi@ietf.org>; Thu, 7 Sep 2023 17:30:17 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 82D2E3200933 for <bimi@ietf.org>; Thu, 7 Sep 2023 20:30:16 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Thu, 07 Sep 2023 20:30:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= marcbradshaw.net; h=cc:content-type:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1694133016; x= 1694219416; bh=0V8KoXnpDdnYz1hFb3HX6JWQPFvFduvBlwYLBadiQ7k=; b=0 GP9pMUyMKXTCsRiUGjkyjwBMgz/keU3cgRSmShGo/ToumAgA7SV2lSXlGUx32gS2 U2JuXUC759iYW7VHdIn+7asfqJ3Nd4OvTZqzQxtuh+snOGev1lylkJnxhE9Fn2iN mESSO7WC+RuelqowjtAgLTo86COPz+Lq9cyu6HKns01xLbljn8o9siisFhX2oxhV QswqhjB+/Wpf/cfJus2xyWF4iOsfke+jSHMhV/5sD6Eb4CsYvK1caWYroihfgjA0 3jwn7zafMPf29VsiT2Ncb2dnjGoITUtCrj+fphhJdsrqIjUrQ5Aj/qcCO6VkMaID Nw87Pv8eDUadEuDh+EjMw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1694133016; x=1694219416; bh=0V8KoXnpDdnYz 1hFb3HX6JWQPFvFduvBlwYLBadiQ7k=; b=gDVQf3fWlP1Q25pt1QdGH/l2ArWxQ iEXDtaMZfei2fT/vjnezSk2x0D+SHST7uC3XzxlyfgOfV/AOlgWs4uWrgc+P11v6 ylHIFj3Im9VItZf47ZX6bZRayxfzWcSWIcazyS6aRd8l974RgXv2QuQt1vLGVkMN 3/VAjjgR5+0sddhwIqyYF0e/vVSH9NNvJGiJ+yZiDZ/zPUcy2ELpNKGb8A2jgalD uqm212jen3UoOpu9B5g+Ec7ErPZJSdt+3VAq9iynCoXG5zlZH3d02rmW9Y/6JJn/ 7UwL4oydS4ru/ViV+q0zv5t6HUPjfPjIxI5FmMzOO+S0LxMnZJk7JVZsQ==
X-ME-Sender: <xms:F2v6ZPQbZ7tCoSZHP2pmFpt9lNscOlSJ9b_FwD5lWR-c_7NXi5I3lQ> <xme:F2v6ZAw76hKUvHB_N_oiZ-b2YkxrJkG2Kf2WBAD91u-HhBVmFYb9iTsY96S24jyZG pwt6wSU1zao2oHWSw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrudehiedgfeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgoufhushhpvggtthfkmhhgffhomhgrihhnucdlfe dtmdenucfjughrpefofgggkfgjfhffhffvufgtsegrtderreerreejnecuhfhrohhmpedf ofgrrhgtuceurhgrughshhgrfidfuceomhgrrhgtsehmrghrtggsrhgrughshhgrfidrnh gvtheqnecuggftrfgrthhtvghrnhepffeigfdvhfffleehjedtheehfedugeeludevudet uedvgeehteduheevffeghfeunecuffhomhgrihhnpehivghtfhdrohhrghdpmhgrrhgtsg hrrggushhhrgifrdhnvghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomhepmhgrrhgtsehmrghrtggsrhgrughshhgrfidrnhgvth
X-ME-Proxy: <xmx:F2v6ZE1EOE0-VAX-IJfNRnOUmNWHoMIOW9zcc7yaVH_6MrcNc398ug> <xmx:F2v6ZPCuMXCOk858TCefOGFd68D_PcjFSwGgpqD0s99ip8n8tnbJbQ> <xmx:F2v6ZIjg1gnGuC5svMVt00w6TY9rQS4vPWPPauuFtDG3mwJcKyntSA> <xmx:GGv6ZDuRO1WjO9KpwMavdZGRQGCR7SAEuC9zrV3UZ8U2qIPskM-xew>
Feedback-ID: idcd04265:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id C6FC12A20085; Thu, 7 Sep 2023 20:30:15 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-711-g440737448e-fm-20230828.001-g44073744
Mime-Version: 1.0
Message-Id: <98924711-db15-43df-9f6a-ed072a767666@betaapp.fastmail.com>
In-Reply-To: <d15564bc-8fe8-c118-29e6-e18657c582af@zone.ee>
References: <MN2PR11MB43512B68983A21E6B546E0BDF7EAA@MN2PR11MB4351.namprd11.prod.outlook.com> <5a3abe26-cb49-5350-0abd-a106125fb087@zone.ee> <MN2PR11MB43518ED6E51BD484B3342518F7EEA@MN2PR11MB4351.namprd11.prod.outlook.com> <d15564bc-8fe8-c118-29e6-e18657c582af@zone.ee>
Date: Fri, 08 Sep 2023 10:29:49 +1000
From: Marc Bradshaw <marc@marcbradshaw.net>
To: bimi@ietf.org
Content-Type: multipart/alternative; boundary="2989b103b0dc4a6a9db61286ca2d13da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/SsgYcY2JcaHYp-2nCoAHEdXJ_sQ>
Subject: Re: [Bimi] BIMI & the MUA
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2023 00:30:21 -0000
Hi, A simple DKIM signature covering the A-R header could open up the signer to DKIM replay attacks, and by signing inbound mail cause reputation damage to their domain. On Thu, 7 Sep 2023, at 6:15 PM, Taavi Eomäe wrote: > Hi, > > Are such mail systems (that don't add/replace A-R) really that big of a > concern to necessitate this complexity? I imagine such systems introduce > many other attack vectors anyways and it's impossible for a MUA to truly > protect themselves against such an untrustworthy MTA. I'd imagine such > MTAs would also not implement DMARC for example. > > Though even in that case, a DKIM signature that covers the A-R header > (plus some other restrictions) seems significantly less error-prone and > complex than a brand-new header. In the end MUAs having to implement > DKIM still seems like unnecessary complexity considering the current > reasons why it's done. > > I kind-of don't see why authorization would have to be revoked that way. > What's the scenario where BIMI and its VMC is valid on reception but > isn't afterwards? It should be clearly outlined what's the specific > attack that would be thwarted. > > > > Best Regards, > Taavi Eomäe > Zone Media OÜ > > > -- > bimi mailing list > bimi@ietf.org > https://www.ietf.org/mailman/listinfo/bimi > > > *Attachments:* > • smime.p7s -- Marc Bradshaw marcbradshaw.net
- [Bimi] BIMI & the MUA Brotman, Alex
- Re: [Bimi] BIMI & the MUA Taavi Eomäe
- Re: [Bimi] BIMI & the MUA Brotman, Alex
- Re: [Bimi] BIMI & the MUA Taavi Eomäe
- Re: [Bimi] BIMI & the MUA Marc Bradshaw
- Re: [Bimi] BIMI & the MUA Taavi Eomäe
- Re: [Bimi] BIMI & the MUA Brotman, Alex
- Re: [Bimi] BIMI & the MUA Brotman, Alex