IETF Logo Mail Archive

Re: [Bimi] Alternate proposal

Ken O'Driscoll <ken@wemonitoremail.com> Thu, 21 July 2022 19:29 UTC

Return-Path: <ken@wemonitoremail.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4AEC14CF03 for <bimi@ietfa.amsl.com>; Thu, 21 Jul 2022 12:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wemonitoremail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJP7gnijoDpH for <bimi@ietfa.amsl.com>; Thu, 21 Jul 2022 12:29:26 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130124.outbound.protection.outlook.com [40.107.13.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7938DC157B35 for <bimi@ietf.org>; Thu, 21 Jul 2022 12:29:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PDdp9YFPBqEsqiD4S3Ebo3ODbGPbqKTUVo8LeWvchnIN4v+HM7Bwn1EQVG7n6Z0Sx58esDe/qUJUmVySd9SdTxOBma1EukmlNPmo+Xi90EgbyCK/E7u/akP/OI4cPjn1ENXLU2CMq7FucOojja1CNpDfKWdmE50J9hm8mQxHJIVHbhpc+nqfaEUKe7SQVNYrqxPA6rZqwqjcxssgFdEl4ECJ7/RSi8ypdWi4NsINMJEiyyLLsaaN4vPC7UdOBzfBPMZMtBJnRsgyv9/s81q5Ib8fI5EfM7Utv5cEb/I09MxtG5uVFyVWdwXFodiBYHFTwQuNTvq/y5FtZceAglh+Dw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NgNmcjSCCo2zvRh+6EhXzwUlcV7yxxcRdSAtleG0S7c=; b=L0naEzxf3ooPPdl4NjdTNJCMIhg1d/+X88LffVrf8X0rII2EKuUrs+1T9AiV+b4eZVnpyulmSt4rElyF9a38b7LX6uAeAeG+14eP/MfF+v6kfZB5dmwkjF+FOpZTQB246Xk8fVFj03ZiPlGrQ6dcBImrceLqzV2UUKvRFR6inbRfTvHqoc9SOHgJ3y9Hq3icyRDqbeTYs19r70vbHxemPtN+ekxAeNE6Wyg2mwLB1/pq2IkimaGWO7raI7ItQMOcQ4/aYiroeq6l41OR5Av95odrXrliNU5ITnJ7QWXSqZllE+mKJDIkSKDLwB30O4Ep1nF31dL4CCtoQAtBnu3pDg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wemonitoremail.com; dmarc=pass action=none header.from=wemonitoremail.com; dkim=pass header.d=wemonitoremail.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemonitoremail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NgNmcjSCCo2zvRh+6EhXzwUlcV7yxxcRdSAtleG0S7c=; b=PbUgo80xoIP8v/IssTvW78lcMe3azH+RAf0YFfPpcLhUwjWRi3Uscjlhs/D1rdzq58zVsTxsn5E47or5fTU3KZIazwxN6oTlQ4m/NhcIFGq9KVAMKpQdrDpEFrUeNL5ftpmYObrzpSO3G34CY0zaITa9/imrfgNwOIbxuJBPJ34MDnvGHdPqBgrdfiVXfjOHz54nAYKkKnQF793MKoJii5NOb/80yu6nogM4VA32iV4p2TWy90rjQWhFoN923tVS7etRTvXZpgrnpH+VOjFf66EEzZCbS+KLtBxvQ0e2xN0xk0EPC/egBP4wA22XZCJvcShWPo3SzvQXT8OS9Ijaog==
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com (2603:10a6:800:19a::9) by DB6PR01MB3861.eurprd01.prod.exchangelabs.com (2603:10a6:6:53::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.19; Thu, 21 Jul 2022 19:29:20 +0000
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::39e0:aa03:ebee:e371]) by VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::39e0:aa03:ebee:e371%2]) with mapi id 15.20.5458.019; Thu, 21 Jul 2022 19:29:20 +0000
From: Ken O'Driscoll <ken@wemonitoremail.com>
To: Trent Adams <tadams=40proofpoint.com@dmarc.ietf.org>, John C Klensin <john-ietf@jck.com>, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
CC: "bimi@ietf.org" <bimi@ietf.org>
Thread-Topic: [Bimi] Alternate proposal
Thread-Index: AQHYnKfyWbVUgEXyOkOek1QFGZ+0I62I9sCAgAAp6YCAAAmZAIAABUTi
Date: Thu, 21 Jul 2022 19:29:20 +0000
Message-ID: <VI1PR01MB7053ED7C0857415D1A0A0F71C7919@VI1PR01MB7053.eurprd01.prod.exchangelabs.com>
References: <3E050BDC62D7946860C5E1E6@PSB> <CAHej_8nHgAVWNLDk11j4gY+KxY+e=gcAAzJHryWXELQoY+65Ww@mail.gmail.com> <E5ADBB85022B6D97DDC8AE7C@PSB> <083ADECC-EFC8-4AD1-9DA0-6AAF08342330@proofpoint.com>
In-Reply-To: <083ADECC-EFC8-4AD1-9DA0-6AAF08342330@proofpoint.com>
Accept-Language: en-IE, en-GB, en-US
Content-Language: en-IE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=wemonitoremail.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2d72813b-f942-49e3-4c6e-08da6b4f4f79
x-ms-traffictypediagnostic: DB6PR01MB3861:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Tr0XtXd72tuYecsmR11OCJG/DiEgJM4bHDrxRa/5WZ/3zMdaCeqtukCjx2AMm+vC5BQp63XizUtKGzi0q1IKI9Ng8eV2n9LxIK5w+ZQqTlVbUawtfiTw7y08ZDBSzYxk5Ie4Vqa4tkhoiyn8LY4Lyofh8jELF4pt15wd3G4QjNaMNXAH3cHmrJ78u/Od1LYJiqiVU8hrQ+Qwly1IBXO4370PT5nBUT/KIr08oC4EY9/EI+XMAADmHFbF/aFl6kY7ezBYT+Iw6b3VjXyRKUxspPqcwVr02q4feeppPlRaRM3zstso9wFTvudcgmJgfFofZFfr4DgGsp7Yj2b+kLa6JZL1r5q8z2x4i8z+FwCX50F92hWd6XjAVSBFRP2gbtskB1deNFsNc0/V21xKrYdqBH6FRE5WJ+D1zIs6MrMvEyOtx58o3DjRNkXOEALi+sLXFm1QE4tL5L46LCe+iVzipsWEmDk66ldxUTGdd+1DX12DK7kW4PSoV1PoRJf+qHCaBOLprFcNmaEX/xUnyBz8pGpWR/Wt+ZWS/aF/XCNlDdpgzh0sScziO2rbbOtcrk7tsCICikm5RuSAWrpTEq6TX5fhFPZGZHmKjTudpEbLqPTXCEhULj62Q7QiuVdft2fWOArCLzXUybhl1IpI29wz5fbc+fg9ZM9AhcRyo2xfdwU3Z0yYmjPlQNcANreLg7X4XnKc/jWBC1eWNc+xP8ZsapQVLVkNdmv9B6YvfxDexkpZT1Qr6cQijSL7O8SCGQNWEAu90vdoZ4sb3aZ6ZgWSVSUPPAZmdaEAIjT/jWNJM1HAxkxv1HIPruitm0kreeXJ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR01MB7053.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230016)(39830400003)(366004)(346002)(396003)(136003)(376002)(52536014)(83380400001)(2906002)(8676002)(186003)(71200400001)(66476007)(41300700001)(6506007)(33656002)(26005)(966005)(55016003)(53546011)(478600001)(7696005)(9686003)(66946007)(38070700005)(86362001)(64756008)(19627235002)(8936002)(38100700002)(66556008)(110136005)(5660300002)(316002)(122000001)(76116006)(91956017)(66446008)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eg4SGzXQDWoEI1GSYtYVHnP8+XC0lvSQ9+XG/vs0f3SYwS636rC/9/qVTgp9kpI9/DF2GfkpFIQ0ugfIJ0oX7xA7ec4B5fNEqnFoO4bdpMvaRPJlod48d742lpHFDETne5C+NpE9IT+xE4GBytykrdWdKnEhPbX0xs921SKPBH5YWnudeYoeZvsr0QnEzJzRxwSyHs+GdrGRrwh/ho+gT+BCMgcxmsfYZwXKpe2dHZ1mH7jxKzAdEKHHf2qZyrUhxbAaNJnFBJ5iymTCqRtQFZ4C4dj+ch9g6tnXPxGPXcZEPUT4HiTyTmrzZp3FM6s7XO8J50valDtn6pVV+b7fpP/bWhSau8qE549zsSJnjaD2eKEhogaX9VDdFik4NmLL0BaDmOW2An+wBD9zofiFfRuC6Xy/uTuk5YfzY1M47Vwy7lgepvEpnyjUXUZsGFsUdQenuZgCqEfd3PEUG+uhi8iS4Z034I3SG77btXv4284H1LvEddNZhUcwhZaeAF3W8+b0PnOTx+gzZ0i0FrywRpdjd8RoEdnx8dnRMxNosEU1B5eEzFEeh19rC7aFHuyLfsZwYtS1zoelEpBH4iO2aA42FFo6y8KOmIcgCsDnSff4uBEHeSjuk+fqpwT5X9YSPbS6DWHiZdwt8YVEFbz+JWkkPd5f98/zo7jka96CnqBJ7rBZJotl5VsulCQJQPGpRzYJsl+qLx4OL0nImSFBw2k1McssZByb7GnsZV7AbgS+K905bfbj+bFSbUeF0dOyDMLMIdUHOa7n9Dqj9lA/KfysEJyd5JqTBjkNGtQNszE6PHLpB3ClD94dU1+3A99wMR0z9tBozQ5sqy3JKXGbSgV75qdtC9gVz0AIEFBJa1BXYUR6RYt5WWPz9Sx5DxFzpKNyJMp3zJNWpg0JXwHDqJCn3sREcjpmujfJgKbJuOwP9gu+2WAnz50L0Kgd0obDwbgZOsJrTxH8tsACVGf3CGlkzvDwHCo65Pmk00d2rvDXR+IqMRKaqXMb/tHZlqGIkvAwQgrvsvNh/AL0MMl/nH06esroKGw7eY9lmp7ckdcher9CXyHvxoNcLYGhDiWPg2r0cLnC0uvwYUiJZwFKLhoRWTEfWIPyHltMej7ogWJ1M8ks6H9WfM+YdhdkuMzBCMrcxSfNP40MhmI7ECbZB5DNEqfFLGj6blhfHp/1tN5mN22hnwPoPJFGy18trOAtKifGao1mW3kTOjB75xYG8as28mvk4SrePPEgd5Ugpz+k9QZQFi/EDVCivYDFdnSpS0Awc9lRW5O+CVbKZqQm20bPmX38PUcywuNzqElqWuLh3+XUtI7GWNgYK7xJy64IHzzPb3JTYViIqCXk33zpe/juAYpuCiQZicOnZEq5Gq2Zdkh6B4fm8/fN2VuNo3ht2Y6Rcojg9qnkk5LOoRaHVKvwUr8zTqwbC+vjttQx6i0HUINHFbUfaOKBWidfZTZQuegs4KQQURVTg07t05DzNTiski78/tmjhp1oPbWuVOX/DmeJ7wEaT+OCKnY5D7zSEhp+UeGjgO0DR19SNx2dKfdD2ig83uZsaQkc5WfW1pUnye7I1n5DJPgjWASFGYBykTQzjhoOOQU5x9lkZ1hO7A==
Content-Type: multipart/alternative; boundary="_000_VI1PR01MB7053ED7C0857415D1A0A0F71C7919VI1PR01MB7053eurp_"
MIME-Version: 1.0
X-OriginatorOrg: wemonitoremail.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR01MB7053.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2d72813b-f942-49e3-4c6e-08da6b4f4f79
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2022 19:29:20.6128 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a2b1d6fe-fc8b-4b7c-b9f1-d7b1ab3d23b3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: t55bwB+0Vcu+xiij0kUjrBo7Ak59QjoHRvgk5yR1JIAH4fKOq6m0YpH4SdW3Dnvmf9cYWTyzzY2fftHWD0JRhg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR01MB3861
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/iPaoviTVfZQ73cLu6UfJX5Wj0WU>
Subject: Re: [Bimi] Alternate proposal
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 19:29:30 -0000

+1

I would also like an open discussion on this list about why BIMI requires DMARC with an enforcing policy at all. What is the user benefit or what risk does it mitigates etc. Because, to me personally, it just seems like a mechanism for transferring the cost of implementing/maintaining DMARC for large organisations. And VMCs seem conceptually similar to the ill-fated EV certificates.

I have project managed DMARC deployments in the financial services sector. I appreciate what it does and why it's desirable for organisations with similar compliance needs and risk profiles.

However, I actively advise regular clients not to enforce a restrictive DMARC policy on their marketing message streams because of the risk that legitimate messages will not reach the inbox. A forward between MTAs and a subject rewrite (eg., "External" tag) can cause a legitimate message to fail a DMARC test by design. If there's a revenue generating CTA in that message, then DMARC on that stream becomes problematic. ARC does not (yet) solve the forwarding problem because of the trust communication issue and lack of widespread deployment.

So, integrating BIMI with a PKI or web-of-trust seems like an idea at least worth discussing.

Ken.
________________________________
From: bimi <bimi-bounces@ietf.org> on behalf of Trent Adams <tadams=40proofpoint.com@dmarc.ietf.org>
Sent: Thursday, July 21, 2022 7:43:36 PM
To: John C Klensin <john-ietf@jck.com>; Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>; bimi@ietf.org <bimi@ietf.org>
Subject: Re: [Bimi] Alternate proposal




For what it's worth - I agree with John's assessment.  And that's precisely why I think we need to have all conversations about BIMI on this open discussion list.  We need the visibility and input from all stakeholders in order to have a truly effective discussion.



So... that being said... I'd suggest that we redouble our efforts to review the feedback so far and discuss what's next.  I know that I sparked the most recent conversational thread with questions about the MUA role in BIMI evaluation (a known trouble point)... and I honestly think that the conversation has been a productive one.  It's not always smooth sailing, but that's to be expected.



In short... I'd like to avoid unnecessary balkanization of the effort.  For my part, I'd like to see if we can address the suggestions of John and others so far and see where it can lead the work.



My $0.02,

Trent





From: bimi <bimi-bounces@ietf.org> on behalf of John C Klensin <john-ietf@jck.com>
Date: Thursday, July 21, 2022 at 12:10 PM
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>, "bimi@ietf.org" <bimi@ietf.org>
Subject: Re: [Bimi] Alternate proposal



--On Thursday, July 21, 2022 11:39 -0400 Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org> wrote: > On Wed, Jul 20, 2022 at 10:16 PM John C Klensin > <john-ietf@jck.com> wrote: > >> As promised in my recent "Radical





--On Thursday, July 21, 2022 11:39 -0400 Todd Herr

<todd.herr=40valimail.com@dmarc.ietf.org> wrote:



> On Wed, Jul 20, 2022 at 10:16 PM John C Klensin

> <john-ietf@jck.com> wrote:

>

>> As promised in my recent "Radical critique" note, a suggestion

>> about a completely different way to approach the BIMI problem,

>> one that would be far less complex and problematic.  This is

>> just an outline with many details left to be filled in -- my

>> purpose in sending the note is to encourage people to think

>> differently about the issues and see if there is interest in

>> further discussion.

>>

>> [snip]

>>

>> Would something along those lines make any sense at all?

>>

>

> I can't answer your question, but I do know that there is

> already running code for BIMI, written against the draft spec

> as it currently exists.

>

> It would be up to the implementers to decide if they're

> willing to scrap their currently running code and start over

> with something new.



Todd,



<rant>

My very first task when I became Apps AD a very long time ago

was to explain to what were, then, some very significant

implementers that, while the IETF could not prevent them from

implementing on the basis of an I-D, they had no right to

complain if the IETF's work evolved in a different direction.

Many things have changed in the last (nearly) 30 years, but I

think that, if the IETF is going to remain meaningful as a

standards body, the underlying theme has to be preserved.

Nothing prevents a group of implementers from getting together,

doing whatever they want to do, writing a description of it up,

and posting that as an I-D.  However, if they want IETF

endorsement for what they are doing (or have done), that implies

seeking community consensus that what they are doing is worth

doing, that it is the right way to do it and, presumably, a good

faith intent to accept that consensus, whatever it might turn

out to be.



The oft-cited "running code" principle was never intended to

imply "we did this together, we implemented it, it works in our

controlled and cooperating environments, so the IETF has to

accept and standardize it".  If things ever reach that point,

one has to wonder what the point of the IETF would be: the ISE

is perfectly capable of publishing documents of the flavor of

"ABC Company's Way To Do X" and "XYZ Consortium's Way to Do Y"

documents and has a long history of doing so.  Because those

documents are explanatory and descriptive, not normative and

with claims of community consensus, getting them published is

normally much quicker and far less painful than getting the IETF

to agree.

</rant>



So, what I have seen here, in addition to many suggestions about

improving editorial and terminology quality, are multiple

concerns about functionality and interoperability.  Many of them

have been raised by people with several decades of experience

trying to make email work in an interoperable way, a few of whom

even having had reputations of having almost never agreed about

anything over that period.  Nothing makes them (us)

authoritative but the concerns, especially those based on prior

bad experiences, should probably be taken seriously.



And not only have those concerns been raised, but I believe I

have seen several exchanges in which someone (other than me) has

made a point, gotten a message in response, and pointed out that

the message did not respond to the original point  (sometimes

with more than one iteration on the same point/issue).



With the understanding that I believe the authors and

implementers are sincerely interested in moving this work

through the IETF and getting IETF input and consensus and have

seen no evidence to the contrary so far (even though I think

there have been some communications difficulties), my two notes

were prompted by a pair of questions: (1) whether there is

actually growing agreement that hard questions (not just

questions about fine-tuning) are being asked, and should be

asked, about the proposals and their operation and

applicability, and (2) whether, if and when we reach the point

that a radically different approach == perhaps one based on MIME

facilities rather than mail header fields-- seems to be in

order, that is possible to consider going in that direction?  If

the answer to the first question is "no", then I hope someone

will help persuade me, possibly offline so as to not waste time

on the list.   If the answer to the second is "no", then I

suggest starting to recast the documents as "this is what it is

and how we do it" descriptions rather than specifications to be

processed in the IETF.



Those, of course, are just personal suggestions: I claim no

authority here, just that I think it has gotten to be time to

ask the questions.



   best,

     john





--

bimi mailing list

bimi@ietf.org

https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/bimi__;!!ORgEfCBsr282Fw!uuANg5bLiKQquUjZ55P1eDJEyycLqGfcKNV9peswRJBw9pfpstRCSPQoF08oGvTR-4hdCeG3K6i64zmKyA$

v2.23.0 | Report a Bug | By Email