[Bimi] Interpreting SANs according to draft-fetch-validation-vmc-wchuang-05
Taavi Eomäe <taavi@zone.ee> Fri, 26 January 2024 14:27 UTC
Return-Path: <taavi@zone.ee>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F186EC1519B0 for <bimi@ietfa.amsl.com>; Fri, 26 Jan 2024 06:27:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zone.ee
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7lFw97WBG82 for <bimi@ietfa.amsl.com>; Fri, 26 Jan 2024 06:27:07 -0800 (PST)
Received: from MTA-244-116.TLL07.ZONEAS.EU (mta-244-116.tll07.zoneas.eu [85.234.244.116]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34DDAC1522B9 for <bimi@ietf.org>; Fri, 26 Jan 2024 06:27:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zone.ee; q=dns/txt; s=zone; bh=PC0YiMVXBSQtT7zOIqfh/xiUY8b569bFdod7V7NrJEs=; h=from:subject:date:message-id:to:mime-version:content-type; b=mo7WA03CHIOVrl4zskP1wA5lgV3j+kNgfF2XT1SEX116yTNRihoB2tpBpoj8MUyHoVP7GGtrF DBiUfMXx7ljueimv260NY1kuGegc0HoIKkH5PtGK7OOjdOjgws2/DtdnU0nsEwl0zY89AaVfR/s O8y9sN+sF+sw2Z0cnYCV/QINNAz+m/kWeD7d+Ot2/Pm3OeiPqisrVLmxhHXvzSQ5BDQwt5LN2cq dwGfJHUOvJpUn0Ak09Nlb2ahcDerhsxx4Dseh7LinLPjfgjQVLp5W8iap6HPhgSyFj57wj5/uVJ CC6riSYJrrKYr8GjOoWxKgGiNvLXGZjPzaaGFqdZHAVw==
Received: from [192.168.50.11] [217.146.66.6] (Authenticated sender: zmail526721[taavi@zone.ee]) by MTA-244-116.TLL07.ZONEAS.EU (ZoneMTA Forwarder) with ESMTPSA id 18d462aae950002f2b.001 for <bimi@ietf.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Fri, 26 Jan 2024 14:26:58 +0000
Message-ID: <db14c28a-be6b-4ed6-84d9-9302d11378b3@zone.ee>
Date: Fri, 26 Jan 2024 16:26:58 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: bimi@ietf.org
From: Taavi Eomäe <taavi@zone.ee>
Organization: Zone Media OÜ
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms080408080202030806030805"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/X3xMViEmv-Jj4s5vPEoIQjm7cAg>
Subject: [Bimi] Interpreting SANs according to draft-fetch-validation-vmc-wchuang-05
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jan 2024 14:27:12 -0000
Hi, I think I have stumbled upon an inconsistency between various BIMI/VMC implementations, how VMC SANs are expected to be defined and used. I'd really appreciate your opinion and advice. The current draft says: > A Verified Mark Certificate MUST define one or more Subject Alternative Name (SAN) extension dNSName domain as defined by [RFC5280] that identifies the location of the BIMI Assertion record that was used to fetch the VMC. There may be stronger properties that can be said about the relationship between the VMC and the Assertion record depending on the validation done on dNSName, but that is outside the scope of this document. The domain name may either be the author or organizational name [...] Consider the following scenario. A letter is sent using a domain (example.com), it passes both DKIM and DMARC alignment checks for the same domain (example.com). The BIMI TXT record is fetched using the default selector under that domain. Now the VMC certificate is also served from that same domain (example.com) but contains a subdomain in the SAN (www.example.com). The SAN aligns with the sender domain if the same domain validation logic is used as one would for DMARC. It's the same organizational name, it provides organizational (name) alignment. Most implementations out there currently find this acceptable and display a logo. Is there a reason why a mail client shouldn't consider the VMC valid and display the BIMI logo? Would it be possible to make this section of the draft more concise and easier to interpret? Best Regards, Taavi Eomäe Zone Media OÜ https://zone.ee