IETF Logo Mail Archive

Re: [Bimi] (non)desire for bimi

Richard Clayton <richard@highwayman.com> Thu, 14 February 2019 18:52 UTC

Return-Path: <richard@highwayman.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55A2E12DDA3 for <bimi@ietfa.amsl.com>; Thu, 14 Feb 2019 10:52:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8-6Dr8yo234 for <bimi@ietfa.amsl.com>; Thu, 14 Feb 2019 10:52:16 -0800 (PST)
Received: from mail.highwayman.com (happyday.demon.co.uk [80.177.121.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D74B71289FA for <bimi@ietf.org>; Thu, 14 Feb 2019 10:52:15 -0800 (PST)
Received: from localhost ([127.0.0.1]:36618 helo=happyday.al.cl.cam.ac.uk) by mail.highwayman.com with esmtp (Exim 4.91) (envelope-from <richard@highwayman.com>) id 1guM7K-0006Sr-65 for bimi@ietf.org; Thu, 14 Feb 2019 18:52:14 +0000
Message-ID: <E9NipkB8hbZcFAhy@highwayman.com>
Date: Thu, 14 Feb 2019 18:50:36 +0000
To: "bimi@ietf.org" <bimi@ietf.org>
From: Richard Clayton <richard@highwayman.com>
References: <20190214175243.950C2200E509D1@ary.qy> <aac6ca77-a8f7-7628-fc0d-18ab616659f2@dcrocker.net> <BL0PR11MB3107E380194F10A297485BBCA9670@BL0PR11MB3107.namprd11.prod.outlook.com>
In-Reply-To: <BL0PR11MB3107E380194F10A297485BBCA9670@BL0PR11MB3107.namprd11.prod.outlook.com>
MIME-Version: 1.0
X-Mailer: Turnpike Integrated Version 5.03 M <kN1$+jWI77$h+OKL79e+dC6FuA>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/i99AWwW-8hAB3QovNBxS9vU5amQ>
Subject: Re: [Bimi] (non)desire for bimi
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 18:52:18 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <BL0PR11MB3107E380194F10A297485BBCA9670@BL0PR11MB3107.namprd1
1.prod.outlook.com>, Terry Zink <tzink=40terryzink.com@dmarc.ietf.org>
writes

>    That heavily depends upon implementation. A web bug, as I 
>    understand it, helps to track user behavior - did the user open up 
>    my mail? While I concede that BIMI could be used this way, it's not 
>    a particularly effective way to do it. It would require setting up 
>    a lot of DNS records, and then being able to stand up 
>    infrastructure that can handle all those requests.

... and surely marketing people would never do that ?+

>    Most large receives wouldn't serve up a BIMI logo from the actual 
>    location pointed to by headers/DNS records each time they needed 
>    it. Instead, they'd periodically poll the logos/certs they need, 
>    upload them into a local database, and then pull from there.

Please explain how they would "poll the certs they need" ?

I understand that they might cache certificates that they had already
fetched once, but that's not the same thing at all.

How do they know what certificates they need a priori ? is it just for
the brand owners who have sent them cheques to pay for the display of
their logo ??

>    So, as 
>    a sender/brand, you might send out 100,000 messages to a single 
>    receiver and intend to use BIMI to see how many people interacted 
>    with the message. But in reality, you might see only 1 request - 
>    the one where that receiver saw it needed your logo and then 
>    downloaded it after verifying it. And then 30 days later, you saw 
>    them download it again.

the way you would get tracking (and of course mess up the caching
behaviour by the mail receiver) would be to use a different (sub)domain
for every email...

... so if you wish to forbid this (or make it expensive) you need
language about wildcard certificates.  Where do I find that in the spec?

>    So, while a web bug is a possible concern, a large receiver (and I 
>    would think even a medium sized one) would have to make use of more 
>    efficient architectural implementations to make the web bug 
>    concerns a minor one on the list of things to worry about.

the reverse -- without protocol restrictions the large receiver would be
worried that their caching architecture was subject to attack

- -- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBXGW4fDu8z1Kouez7EQL6iwCfWUNBwQvx20LG1lzQ4YDaHiEI7TYAmgJd
wOsceIENtEVbG51TLit0kTod
=2QC5
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email