IETF Logo Mail Archive

Re: [Bimi] Alternate proposal

"Brotman, Alex" <Alex_Brotman@comcast.com> Tue, 02 August 2022 18:00 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E676DC14F747 for <bimi@ietfa.amsl.com>; Tue, 2 Aug 2022 11:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.795
X-Spam-Level:
X-Spam-Status: No, score=-0.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL=1.31, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b=4Mp4xVRO; dkim=pass (1024-bit key) header.d=comcastcorp.onmicrosoft.com header.b=XdWzfk8M
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZmcv7NRdp6J for <bimi@ietfa.amsl.com>; Tue, 2 Aug 2022 11:00:23 -0700 (PDT)
Received: from mx0b-00143702.pphosted.com (mx0b-00143702.pphosted.com [148.163.141.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4A9BC157B5D for <bimi@ietf.org>; Tue, 2 Aug 2022 11:00:21 -0700 (PDT)
Received: from pps.filterd (m0184890.ppops.net [127.0.0.1]) by mx0b-00143702.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 272HmpML016011; Tue, 2 Aug 2022 14:00:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=content-type : from : to : subject : date : message-id : references : in-reply-to : mime-version; s=20190412; bh=xD+0mLP37hD2Hl4sB/za4PZ8gdTBe78v6U2cjClP2S4=; b=4Mp4xVRO+HJ+ug8DFFuuUhKKisOs+EQ++Sy18WuyhZoxfsll1AVUiOIUguybwuaYlrFS 4rHjE5l1bkyZuG+Lg6fRbfY8kniFR06Ek9OpGf0ykXxMMrcK1SdBl47dIQd9Rrk+B0Ca VB151xL5v1Ba3DXmOkpF4TqoObXzLp3pV5aWigradIEnT6zMqC1t6jQ0/gj8nwS+UN/R zR9XmW9yonA+X+OOapxDqGxfOxLRltG1KfUgKX+1hXMl+h6IWqCPx8dPYPtm6BVMp97h haVlr+HBUllKU+H3lKHC0Tja4EhH9IaOvC3udN6lcfnA9+iWGTPOssBep3xfN+3EQGB9 Ew==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2106.outbound.protection.outlook.com [104.47.58.106]) by mx0b-00143702.pphosted.com (PPS) with ESMTPS id 3hpknnrgcn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Aug 2022 14:00:19 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=no5Nmaj2aBhS+TX59Nbo0/q6f0AK6WMTfl2kelLqayb0U4DZIZswM4sx+cXm/PSy9JY0P7T8pU1J8CPwnluVot3OHqjOfTJB7caTKrAJuhdj1EYV6xCeME4v1AYDPCsltDeX6iFfAl7YaygDFrBtTSE69+g3/xceAwPferK03Z+GfV/AEeHUDT6Ctg0BX85sX0gu/BDWj42H65m1iNv1tN+rIYbONi+/acZwbNnX/TAx/5buaYOu3Gyxb6lISx8I+lI5E8VAGoKYekmmEO4PbzAcA8mM/DYk8JMSkzePMAI6J8xznQFzYETAzXqIIoUXXNoKWwIsagBHx1hZ1CKu2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xD+0mLP37hD2Hl4sB/za4PZ8gdTBe78v6U2cjClP2S4=; b=b38qsgKznARbt37k2n/Az7DCWzQIpl/P1vZvIWmStHgBftEpVHtDcgfbGMbZDxZ1hzu5nyucmj78/rWmHYWEHpXY9SpOMCk2SskuZ++u1kCHd5YEwxeyuShw5pWN679jHshjC9Opp5VO2moYgLvc1WYjbBuK9LEzV3R1oEykOBGHSLyL2guAeTLp9Om1hIqCAK8NNhwnzgVKUBO/d0PelfTymCDwQLmBaCUDF4l2plp4qS+JoCBSry3Js2AtDUvN1rNcq7jMsYkGjmpo+ndJuMa6xNx7UbHokHLkp66pvzoK14rWru7TKuxMouo1kZ8OXHmnICt+1WuDxL1QuYRY9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector1-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xD+0mLP37hD2Hl4sB/za4PZ8gdTBe78v6U2cjClP2S4=; b=XdWzfk8MpHo/UBH0XysiIL7jCFjAckDW7XY2gt93kW52ZuJTCkAA9xUIxwHXp2yJFzeHNfxF42ZfcvNFQA6cio26D0CN2d0L0dGvvAq0fnp0lRaj/h+VWh5Sn2zQ9/CxH6Fv+8a1IcbJK1oX29QxIQszWbynx+9vP8uVIoMUt0w=
Received: from MN2PR11MB4351.namprd11.prod.outlook.com (2603:10b6:208:193::31) by MN0PR11MB6229.namprd11.prod.outlook.com (2603:10b6:208:3c6::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.19; Tue, 2 Aug 2022 18:00:16 +0000
Received: from MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::c407:ec04:b495:6ea3]) by MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::c407:ec04:b495:6ea3%6]) with mapi id 15.20.5482.016; Tue, 2 Aug 2022 18:00:16 +0000
Content-Type: multipart/mixed; boundary="_000_MN2PR11MB43518A8DBDA4BC3338B875C7F79D9MN2PR11MB4351namp_"
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: John C Klensin <john-ietf@jck.com>, "bimi@ietf.org" <bimi@ietf.org>
Thread-Topic: [Bimi] Alternate proposal
Thread-Index: AQHYnKf37+zlCVZltkixci7AcN0Xi62b0t3A
Date: Tue, 02 Aug 2022 18:00:16 +0000
Message-ID: <MN2PR11MB43518A8DBDA4BC3338B875C7F79D9@MN2PR11MB4351.namprd11.prod.outlook.com>
References: <3E050BDC62D7946860C5E1E6@PSB>
In-Reply-To: <3E050BDC62D7946860C5E1E6@PSB>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator: <MN2PR11MB43518A8DBDA4BC3338B875C7F79D9@MN2PR11MB4351.namprd11.prod.outlook.com>
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eae3f24c-cd87-4e9b-2b4a-08da74b0dadf
x-ms-traffictypediagnostic: MN0PR11MB6229:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eM48je27Mx/FmuWr1juRtvAafk0C/5fWdnrspMgQime2lx2y4QI8g9VI5NR4NeaSEPgXov+x/JgAB0mbO8Ywx7ueGUIydmI4dH0TSLmSgnoZCED7PEtobMluABYjqhLQfT8OR/0UFJM1RK8PwvzXlWLNeI0w4mrU8duL3R9pi/j3Nia7mQ1Lnmr7dU5zyVUNe0g2NMo57I44JJvLzJTRSHSac7HwavTmBqWZFP+J6X4QPsKrhWEaW+ijPqXJEVQZfTiaO8+xMFPlU3El4QDgBJ+F0OqjrLeckyoloRBM/tCghGf+jqzVWzkbngew2lrjeqkzzj1xhVozXAw983ckw9orF7JyZ1S7l9Uqhbt3HC5AnsZ3D+Ks8DW30Wn3K0sASV5cCrys3qld3bOOzjdhvxQCERg0M7YN/n4j1HjYwKU0wDSf3BS5joIYsUYUOE5Esv2dpV9Gxv+opILGZLxVj5gkMzAiPK7MzDU9Iov1WVKIIIb5iWKEmqVE+gdZX2ZzjpMwSQLEw+ddPPu+DyxVwORChq9FEuAg+EDp6yxsscVzTnz+vaYWHP9wAkzAn6lmOXP7CSsiIQWFZbpvXtcWBl7l/vEML1kdsHQ0HsCQ/Ph3Oe3WwgXNOBWZMR4Y7fp+RhbQbLc6oyoT2k8SJOucktXzB5jtvYd7m3Fh3QhpdzOAfD+DEth3PubsY7Fsmpo94HzjbGjEPNzqjwDuQDPWzJi/7K/TTnvsslpN4xWHy8OjoDLgp/UROqjxNhMUv04tmHPMNK68p446ts+W9de6TK3uSRk+WXDm8sYoRNqtFc0PxVFCEf8xYq00iB5iVsjPI7d37stVnKosWf7eATPk/w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(136003)(396003)(376002)(39860400002)(346002)(66946007)(64756008)(76116006)(8676002)(66476007)(66556008)(66446008)(52536014)(8936002)(5660300002)(55016003)(966005)(316002)(110136005)(478600001)(71200400001)(2906002)(41300700001)(53546011)(86362001)(6506007)(33656002)(186003)(7696005)(122000001)(83380400001)(38070700005)(38100700002)(82960400001)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qZeYZFQOjuzAiIiTla/MwL2/i/H46dxctMuZ7cVuNneGP2fNR0CmLMeOjq+JkrBm3DZym5E7NUqFJFPM1LCcppFwaGZN2DKqMKwbdsZRtzfHjrQLAim0JUP7ZJfBBChJ0jYcIoYj6PYKLnNTSnpMzE2+QcUK6mIo4fmIk7+ey4cOtEpWj/RSrQMT9NnAN1Qexpu3bXC+Y5xBfOT9an+hQIQjgcP7iBbbo8xgzgW1cg3FBOOOZlLYjs3eeCjDBq6ZqpW4aqRal0wGYNgt6+Jx3B38u5PLECd0ymVZNVCQQ2hzDJl6Mh/tJv/drC/NmIFYfgDelUcHltplo6WcCt0iB5FDXnv2xvo5MZuqBfeQrEu7J4jxwTQ0OKe60qk+8jm4rTLl16JxlghiF2JGIDz8xeHLCHnvS1NdmEV4bMjTQK9+eTwDtFv0zHRFCK+IwNZOw5i19A5/qEc+e1zj8RwWX2FdV1TMv2SYmuPtonWQAuiEwtgmdcnMFSDoEmoZD2OBSSVWFE7/Qf9tNJATYlPGW/utjqMOoDqIYhruxaXGkLbjhvZ2/S9vOSTNx+dldb/zQbAX1AacUwt9BJrUriA5eEpMlAb/BiagXQWW+JmyZGsXo+3m0Pl7X6UtbckDxXFwFKX9T9qkG31YftCqoLNG0I+hhxnBz1KQa9nsvUKmP7HcxGnZrgcnRjz2km0RAxESDF15XOVSSpCwLf2CdfbI1etn66kKRw9envpkqrRzLk2wcS5cia+pKITUncSZydbbuWpDD1zSoWPSfJFTb2LirKJ0PWwPyGrAUrSmtvazi/lNO9gJ2ho+53FjDKHjx4+N8ZJ9JCezWibZtBntd4i0VuXFGOE+xYubmG2v5p8Wt6KMuj5o/cvc09RVMBXHME2wE5IlQ9GoBNg0Sq3i53J746o1wXuQhtqDrDfJ3ZJBcjZe5FfnHdMlECOkrsRBRqUgb7QQ2kyvUQ8gPdZPAUZo9y5KBXY5evTgdU58XDPveu8Y8sb8ubknP/iEgFEj2dW6QRYVSwfoBK+F7BE3nzsszQBUUcDgmCFd6xjKeXVj3689dKUjr5zVhGa6afgJdiZn76FGeYUPL20rjjZfZ+mwGovkZIusl2AywDAQCuzxUwA2E4ixFQDkJlcTaTprtD0qKoU9g+Gbk5KWJuZ1BfIrO8aFEegWayUXdEeVf1gK1mu/0BL4CoMmesO96Rg2Rn0RxA/QWB0QG/K0SBNf+PwC4h+GV1dWgexRL4v7J16oxOByq8IP5XgS1hQsGJo5GNatD7ulis50fxLXbDWs4Ud6MUrQNLVOi4wNSV9XKmmluvLrc01ugJIh2arIH6YikRCzodIx+W1Hbw/eVSjODFzqQLqjxe+ULlWmB7a4/WrIqh9IXtHNpVRBlQeaULJ/R8uioQCCw2gxnof1cYSz7jTcoH8NDeyrhuiQ/+AIN9rwHCp8ER7mU7P5bkFFTmBjet4TNTw8DxcVGKf7BzAI+qzcfzxS59KCyedf/S/8SIvqoEMnwbLOKTQvZDH0tLm6KRYQEeNQwTlXdPcvMeKR4GnRPsVEGHTg7wYcDW5T2+TjtLM8sBN9Ug4GiD9tJjoPrgzNrWYPKiE8MIv/2SRbxhQgzPPOl5Z3oOu+uVqP0HWmw6/xIH5FdEgz2c/8e7v8W2ZQXwaBSx1Gv3kXrTWpnvVNbA==
MIME-Version: 1.0
X-OriginatorOrg: comcast.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4351.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eae3f24c-cd87-4e9b-2b4a-08da74b0dadf
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2022 18:00:16.0846 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K10jNeCRTeFPdTZSt3PjiKaHzJN2KWpROYt3UguYDWBjAmcp/1bB+A1/rgWnHGhz7zxNjmqcR57v8BmjdLcNaC2JOVjiQTLsxv5PtrNIlEw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN0PR11MB6229
X-Proofpoint-ORIG-GUID: IV5YXNbnbrYLr7RdXR7IvDGjhKh2lxJ_
X-Proofpoint-GUID: IV5YXNbnbrYLr7RdXR7IvDGjhKh2lxJ_
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-02_13,2022-08-02_01,2022-06-22_01
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/isnAyjcMvzhaG2saw-ElVwI16Uc>
Subject: Re: [Bimi] Alternate proposal
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 18:00:27 -0000

John,

Firstly, apologies for my late response.  Dayjob and IETF kept me from re-reading the proposal.

Generally speaking, I don't dislike the idea as you've proposed it.  It certainly solves some of the same issues we've been looking to solve with the proposed mechanisms.  If we look at BIMI as at least two basic goals:

1) Foster DMARC adoption by requiring the OrgDomain to be at enforcement (quarantine/reject)
2) Create a mechanism by which the brand owner can supply iconography for messages associated with messages that pass message authentication required to pass DMARC
3-ish) Craft a method by which trademarked imagery is not used in an infringing manner or by unauthorized entities

We probably could add 4-ish) Allow MUA to validate/display BIMI independent of Mailbox Provider.  

I believe your proposal is lacking on the first (or at least does not explicitly cover it)?  Perhaps this could be approximated by having the MUA perform DKIM validation and evaluate DMARC and perform alignment checks.  Or perhaps that was intentional (alluded to by "drop DNS requirements").   The proposal also seems to eliminate the web-bug concern, though may be traded for a "web-bug" from fetching keys to validate signatures.  Another advantage is that you could cache older keys and use those at a later time on older messages, barring some expiration.  However, if you change mail clients and those keys are no longer available, that could leave a gap (could we put a keystore in the IMAP system so that the user has access to all prior keys from any IMAP client?)

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

> -----Original Message-----
> From: bimi <bimi-bounces@ietf.org> On Behalf Of John C Klensin
> Sent: Wednesday, July 20, 2022 9:17 PM
> To: bimi@ietf.org
> Subject: [Bimi] Alternate proposal
> 
> As promised in my recent "Radical critique" note, a suggestion about a
> completely different way to approach the BIMI problem, one that would be far
> less complex and problematic.  This is just an outline with many details left to be
> filled in -- my purpose in sending the note is to encourage people to think
> differently about the issues and see if there is interest in further discussion.
> 
> Overview:
> 
> Drop the idea of new mail header fields entirely.  With them, drop the (slightly
> odd) uses of mechanisms intended to validate mail senders, header field
> integrity, etc., the requirement for MUAs to be "Affiliated" with MBPs, and for
> Mailboxes or Mailbox Providers to be special in any way.  Also drop DNS
> dependencies connected with entirely different concepts.
> 
> Instead, define a new MIME content-type, presumably something like
> Application/BIMI.  If any trick supplemental information is needed, use
> parameters to the Content-type: header field.
> Probably that would give a typical message these day three body parts with
> content types respectively
>    BIMI
>    text/plain
>    text/html
> 
> If you really needed to, you could make BIMI multipart, but that would lose the
> advantages of the message looking perfectly reasonable to MUAs that were not
> BIMI-aware (see below).
> 
> Make it as complicated as it needs to be (but not worse), including providing for
> relevant parts of the content to be digitally signed.  From the discussions so far, I
> don't see any need for encryption, which makes things much less complex, but
> there is nothing in what I'm suggesting that would prevent it.
> MUAs who do not recognize the content type may generate warning messages
> to the user, but every MUA in the world with MIME support already has code for
> dealing with unrecognized content types.
> 
> An MUA that does want to handle the content type presumably
> installs appropriate application code.   Vendors who want to use
> BIMI could reasonably provide that code as a library or
> equivalent without getting involved with "affiliated".   And,
> then, that content-type specific MUA extension or add-on provides for
> downloading whatever special (i.e., specific to
> BIMI) certificates the user wants to have available.  My instinct at the moment
> would be to build validation on OpenPGP - most of the code that would be
> needed is readily available, many MUAs already have parts of it built-in, and so
> on.  Especially if encryption is not needed, this is perfect web of trust stuff, with
> the MUA client needing to install only those keys locally
> that it obtains from the MSP and trusts.   The certificates and
> keys would also be specific to BIMI, rather than shared with other applications,
> so things like expiration dates (and what to do with expired ones) could be per-
> MSP and tailored to the needs of BIMI, rather than compromises with the needs
> of other applications.
> 
> The MBP would not need to be special in any way.  And just exactly how to
> handle / display valid BIMIs would be a UI issue for the MUA, not more
> complexity that needed to be specified in the protocol.
> 
> Would something along those lines make any sense at all?
> 
> best,
>     john
> 
> --
> bimi mailing list
> bimi@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/bimi__;!!C
> Ql3mcHX2A!DSW_2M6Pp4LFJbEcg7702keyogYAc1OshmG_zEyXVwYvBfQiccBGA
> OaYOjmjjk8cOpQlROW6N_yao0enyCmaI5T3$

v2.23.0 | Report a Bug | By Email