Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2
Marcel Bokhorst <marcel@faircode.eu> Fri, 30 July 2021 14:46 UTC
Return-Path: <marcel@bokhorst.biz>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82203A2C67 for <bimi@ietfa.amsl.com>; Fri, 30 Jul 2021 07:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=faircode.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wY-1i_dI_QZW for <bimi@ietfa.amsl.com>; Fri, 30 Jul 2021 07:45:56 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49EFF3A2C65 for <bimi@ietf.org>; Fri, 30 Jul 2021 07:45:55 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id g13so18321595lfj.12 for <bimi@ietf.org>; Fri, 30 Jul 2021 07:45:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=faircode.eu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wxOMMh1wyMoQrfw2dADwGr9sh7V4pZne//WkJc96ay4=; b=aNRpDPku49AZetcZQ9umLrors68F8EpUY8lO0v6PxOlSxsSq2wj85wDxw5Q5h7mvMw lkyQmfDmKBQAR/3WbWWbKaoX9xxXV2hmiX9hrkzn+UZ0Z3makjAFcf8s9TacWy3l4A63 JUv+hnVy0yAoYjmCrZDbstEPlEseHHanE31iaLh20FGRvVHtGY3phQC+2QldxwdHlYZj qooxRIAiPqu8tZEACSqyTVRsRcbuF9pYcrrBh0aVFuTnJZa3lyiiT+XhnWqAfGXjRzb+ J8aLKrp9NZxRMRc/GestfQPIWKdhj9NqLg8biD0JcNPICOMohrJrnM6NyXqMivXWwMUy Boxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wxOMMh1wyMoQrfw2dADwGr9sh7V4pZne//WkJc96ay4=; b=RoOCcb/iJnQ7zCtA/KxKL1qps6QNNvqa7/5sAksxJxfM0dkayRNMUR2nFR48tNO5QK 6ZGBU1x7+H3lSxFSYCafOAY2ZE3RFXEkLe0oDr2XuldEEDJcjRv8VTKc+3Pm0BL+CYQf xvuK9Ri+1W8w1BuHw7rgDvEIUnwSfQEHbHTkbXMdY2ds3mSZAXeYqQOnPzjBCYnvtDPp S8g5fg2xZpokBvisY/HCTwBQ3xhve7W4/PmUfD5syIvbYE7XmBSRHrXaNHrxePV2Tjfk ceRYTDat6M6GnMYckjUKc/EJGzLz40bZkd/JijH4PkjoII9WzNukV9iFgKip8osfZSgC ZPcg==
X-Gm-Message-State: AOAM532yj0xDcI71m7woTJ/b90zSaiQJmxeL94h+WZ/AEFlhHzcu6k2N +aIRM5JbWEIquHsLHayzvFzhHuyHMhGWHVqhj6uKvzjAPgU=
X-Google-Smtp-Source: ABdhPJwZu3yAKHoC1QxR6Y1EsPd2coYlARtl9mGjqB7HHH9aGdGr9X40OS+fNiIMd+0y/CYHzRtiQz5CUrA/6uHYWiI=
X-Received: by 2002:a05:6512:2205:: with SMTP id h5mr2235317lfu.257.1627656353270; Fri, 30 Jul 2021 07:45:53 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.3635.1627587941.6855.bimi@ietf.org> <CAFLkOerrax+qYyaR_u1SJH6xQH_asxqbzd=rb4AWKwYudZodCw@mail.gmail.com> <MN2PR11MB435147F86056FB81D919657EF7EC9@MN2PR11MB4351.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB435147F86056FB81D919657EF7EC9@MN2PR11MB4351.namprd11.prod.outlook.com>
From: Marcel Bokhorst <marcel@faircode.eu>
Date: Fri, 30 Jul 2021 16:45:25 +0200
Message-ID: <CAFLkOerqLfm8rqcCDOkrS=9S3XV41exDSOMB_zndYaC6NKuGSw@mail.gmail.com>
To: "Brotman, Alex" <Alex_Brotman@comcast.com>
Cc: "bimi@ietf.org" <bimi@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0e4e005c8584611"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/guPyUeR5MYYElfN12DSBrIckJcY>
Subject: Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 14:46:02 -0000
I understood that always "xfinity.com" should be checked and never subdomains like "emails.xfinity.com". Am I wrong? "*Everything checks out*" means: - The VMC could be downloaded from location referenced in the BIMI TXT record - The certificate chain up to a known CA certificate is valid - The certificate is of the right type (BIMI) - The DNS name of the certificate matches the domain name of the sender and of the BIMI DNS record - A logo is present and could be extracted from the certificate - The *Authentication-Results* header says "pass" for DKIM, SPF and DMARC - The DMARC DNS record policy is "reject" or "quarantine" Op vr 30 jul. 2021 om 15:19 schreef Brotman, Alex <Alex_Brotman@comcast.com >: > > > Consider “emails.xfinity.com”. We didn’t want BIMI on “xfinity.com”, but > just that sub-domain (for now). There is no BIMI record at “xfinity.com”, > though it does exist at “emails.xfinity.com”. I believe this is covered > in the drafts. > > > > The flag could be nice, but again, that only covers IMAP. What about POP > (or MAPI) users? The cryptographic solution may be more intensive, but > seems like it may make BIMI more available (but yes, at the expense of > mobile CPU). > > > > Could you elaborate on the “everything checks out” from your section about > evaluation? > > > > -- > > Alex Brotman > > Sr. Engineer, Anti-Abuse & Messaging Policy > > Comcast > > > > *From:* bimi <bimi-bounces@ietf.org> *On Behalf Of * Marcel Bokhorst > *Sent:* Friday, July 30, 2021 3:57 AM > *To:* bimi@ietf.org > *Subject:* [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 > > > > FairEmail will not rely on the BIMI-Location header because this requires > support from the email server. Instead, FairEmail will use the logo in the > VMC and fallback to the DNS record logo location if needed (logo missing in > the VMC, etc). The logo will always be shown, but the verified sender icon > (a double check mark before the sender's name) will be shown only when > everything checks out. > > > I think it would be a good idea to summarize the steps to follow to > fetch/decode/check BIMI because I think it will make it easier for > developers to implement BIMI and to do this in the right way. > > The BIMI TXT record is always being fetched from the top level domain ( > example.org > <https://urldefense.com/v3/__http:/example.org__;!!CQl3mcHX2A!QOleDIsQOkjN3HXlKrItrq62gf5-G3hak8l7aDR3RAX6gQqWqTVXcLfIwcPA3DMVHSX2WGk$>). > I hope this is correct. > > > > An IMAP flag would be nice, but I guess it will take quite some time until > all email servers are supporting this. Something like a signed > authentication results header would be nice, as long as it can be checked > in a simple and efficient way. For example heavy cryptographic operations > and looking up DNS records (for certificates, etc) would result in slow > downs and increased battery usage when downloading many messages. > > Currently, the authentication header inserted by the email server is just > being trusted, but this relies on either inserting the header by the > receiving email server or removing previous headers of intermediate email > servers. > > FairEmail will cache the logo for two weeks, which is the same as for > favicons. IMHO this is a reasonable default, preventing logos from being > fetched too often and still allowing to change the logo by the sender > (which I guess won't happen too often). > > I hope this clarifies things, else feel free to reply. > > > > Marcel Bokhorst (author of FairEmail) > > > > > ---------- Forwarded message ---------- > From: "Brotman, Alex" <Alex_Brotman@comcast.com> > To: Trent Adams <tadams=40proofpoint.com@dmarc.ietf.org>, "bimi@ietf.org" > <bimi@ietf.org> > Cc: > Bcc: > Date: Thu, 29 Jul 2021 19:45:04 +0000 > Subject: Re: [Bimi] Independent BIMI-capable Email Client > > I do have that app, but I haven’t yet pointed it at a platform utilizing > BIMI. I’ll make a note to give it a try. > > > > From below: > > > > - They aren't entirely clear on how (or why) to evaluate a logo > referenced by the BIMI record and the one retrieved from a VMC. > > > > What about the BIMI-Location header instance, if present? (assuming you > want to trust that header, etc). After that, I’d probably use the VMC if > present. Should we add an evaluation path to the core document? > > > > - It's also not all that clear where to retrieve the BIMI logo when > the email is sent from a subdomain, and match that up with the DMARC > results. > > > > I’m not sure I follow the issue here. Is there some example that shows > the questionable path? > > > > - There's also the question about whether or not an independent client > can/should trust the authentication results performed by the mailbox > provider when deciding to display the BIMI logo. > > > > If you go back to -00 of the core spec, there was an IMAP flag that was > meant to be set (Section 8.6). That was removed in -01. I don’t recall > the justification, but may have had to do with MUA workload. Seems like > the IMAP flag could be reintroduced (POP3 would be an issue though). Or > perhaps something akin to a DKIM signature signed by the inbound MTA that > could be verified by the MUA. The latter could potentially be reused > though? > > > > - There is a non-zero addition of processing required by the client to > handle BIMI, leading to the question about what impact this may have on a > client... and what efficiencies can be introduced with local caching (if > any). > > > > I’d think at least equivalent to the TTL of the BIMI DNS record, perhaps > even up to the expiration of the VMC (though I could understand where a > domain holder could refresh their VMC and change logos, etc). I’m sure > there’s a better answer somewhere in between. > > > > > > -- > > Alex Brotman > > Sr. Engineer, Anti-Abuse & Messaging Policy > > Comcast > > > > *From:* bimi <bimi-bounces@ietf.org> *On Behalf Of *Trent Adams > *Sent:* Friday, July 23, 2021 5:36 PM > *To:* bimi@ietf.org > *Subject:* [Bimi] Independent BIMI-capable Email Client > > > > > > Since Gmail's announcement, more companies are starting to play around > with BIMI (no surprise there). And, as expected, the increased attention > is helping to put more eyeballs on the experiment. > > > > And while some of the major mailbox providers are adding BIMI support to > their own mobile clients, I ran into a FOSS project run by a developer in > the Netherlands who has already added BIMI to their independent mobile mail > client. > > > > If you get a chance, I'd suggest taking a look at their FairEmail > implementation as they made some interesting choices: > > > > https://email.faircode.eu/ > <https://urldefense.com/v3/__https:/email.faircode.eu/__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfdsADeC4$> > > > > The current Android client package can be downloaded from their GitHub > repository: > > > > https://github.com/M66B/FairEmail/releases > <https://urldefense.com/v3/__https:/github.com/M66B/FairEmail/releases__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHf2gwnAj4$> > > > > > > So far, they've already found some useful results from their experiment. > And now we're finally at a point where we can test the architecture (and > pressure-test the specifications) beyond the handful of usual suspects. > > > > For example, here're a few issues this work as already surfaced when > interpreting the specifications [1] [2] [3]: > > > > - They aren't entirely clear on how (or why) to evaluate a logo > referenced by the BIMI record and the one retrieved from a VMC. > - It's also not all that clear where to retrieve the BIMI logo when > the email is sent from a subdomain, and match that up with the DMARC > results. > - There's also the question about whether or not an independent client > can/should trust the authentication results performed by the mailbox > provider when deciding to display the BIMI logo. > - There is a non-zero addition of processing required by the client to > handle BIMI, leading to the question about what impact this may have on a > client... and what efficiencies can be introduced with local caching (if > any). > > > > What I found most interesting was how the specifications assume a tight > coupling between the client and the mailbox provider. It definitely opens > the question of whether it's possible (or recommended) for an independent > client to support BIMI even for email received by mailbox providers that > don't support it. It's real-world interop testing like this that I hope > will highlight issues that need to be discussed as the experiment continues. > > > > Also, if anyone would be willing to test the FairEmail client, I'd be keen > to hear if you think that the way it leverages BIMI matches your > expectations. Also, are there any others out there that might contribute > their learnings to the conversation? > > > > Anyway, thanks for any feedback you may have. It'll be useful to hash out > ideas for improvements and next steps on the list. > > > > Cheers, > > Trent > > > > [1] https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi-02 > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-blank-ietf-bimi-02__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfVUyABq4$> > > [2] > https://datatracker.ietf.org/doc/html/draft-fetch-validation-vmc-wchuang-00 > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-fetch-validation-vmc-wchuang-00__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfIMZn7Z8$> > > [3] > https://datatracker.ietf.org/doc/html/draft-brotman-ietf-bimi-guidance-03 > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-brotman-ietf-bimi-guidance-03__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfQyodXbk$> > > > > > > -- > > *J. Trent Adams* > > *Director, Ecosystem Security* > > *Proofpoint* > > > > tadams@proofpoint.com > > > > bimi mailing list > bimi@ietf.org > https://www.ietf.org/mailman/listinfo/bimi > <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/bimi__;!!CQl3mcHX2A!QOleDIsQOkjN3HXlKrItrq62gf5-G3hak8l7aDR3RAX6gQqWqTVXcLfIwcPA3DMVB8lC6MU$> >
- [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marcel Bokhorst
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Brotman, Alex
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marcel Bokhorst
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Todd Herr
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marcel Bokhorst
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Jakub Olexa
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Trent Adams
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marc Bradshaw
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Dave Crocker
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marcel Bokhorst
- Re: [Bimi] Fwd: bimi Digest, Vol 10, Issue 2 Marc Bradshaw
- Re: [Bimi] bimi logos from non-giant companies John Levine