Re: [Bimi] (non)desire for bimi

[Terry Zink <tzink@terryzink.com>]

Thanks for your comments, Stephen. Here are my thoughts.

> I'd be interested in some kind of verifiable backup
> for that "clear demand" claim

To me, it seems intuitively obvious. For example, in the Office 365 web interface, I see logos from several different companies in the list view and the sender photo when I open the message - Amazon, Lyft, Facebook, LinkedIn, Netflix, BackCountry, Quora, etc (this is displayed via Microsoft's Brand Cards program). My old Yahoo Mail interface has something similar. For a while, Gmail showed a company logo pulled from its Google+ page.

How does this not show demand? Isn't this an example of web mail providers wanting to enhance the user experience, and companies happily obliging, and me as a user being pleased?

I am not representative of the entire space, but I really *like* those sender photos.

> I use the Internet. I do not want logos added to mail
> headers that increase the attack surface of my MUAs,
> (and MS/MTAs), that likely enable additional tracking
> of mail users, including me, and where mobile device
> and web MUAs are unlikely to offer me an option to
> turn all that off, even if some desktop MUAs might
> (eventually), at the risk of making messages harder
> to comprehend.

I'm not sure I understand this comment. The logos are not added to mail headers, but instead headers point to a location where the logo can be picked up and then shown to the end user. What's the difference between the sender/brand providing an authoritative source (DNS record that points to a CDN) vs Office 365/Yahoo pulling from their own internal database?


> I also just do not want to see your logos, thanks.

Again, I am not sure I understand this comment.

Logos are everywhere. Most large companies have Facebook and Twitter pages, and they all have logos. You see logos painted on the sides of walls, on stores, on TV, in newspapers, on web pages, as favicons, etc.

Are you saying these are all fine but in the sender photo it isn't? What's the fundamental difference between seeing a company's logo in the sender photo vs seeing it in the body of an email? Is it just a matter of turning of HTML and preventing those from loading?

> As someone who sends email (not as a bulk sender)
> from various domains that I operate, I do not want
> to pay €€€ to someone for an additional cert, nor
> for an "approved" logo, in order to increase the
> chances that my mail gets delivered.

Nobody is going to make you buy a cert, nobody is going to make you buy a logo, and so forth. It's up to you.

BIMI is an add-on; it augments the default experience, the lack of it doesn't downgrade the default experience.

> I also do not want to have to check if someone else
> has abused a logo I may use in some CT log. I do
> not want to have to process additional headers in my
> MTAs nor retrieve and store your logos in some new
> image store. I do not want to have to deal with any
> of the new problems that'll arise when any of that
> breaks.

Again, I'm unclear about the context of this statement. Nobody is going to make you as a sender, brand, or receiver send with BIMI. Nobody is going to make you retrieve logos from a store, nobody is going to make you verify any log, nobody is going to make you process additional headers.

Instead, it's about enhancing the email experience for those motivated to do so. And, BIMI provides a way to do this.

--Terry

________________________________
From: bimi <bimi-bounces@ietf.org> on behalf of Stephen Farrell <stephen.farrell@cs.tcd.ie>
Sent: Thursday, February 14, 2019 2:57 AM
To: bimi@ietf.org
Subject: [Bimi] (non)desire for bimi


(Sorry for not replying in-thread but I just subscribed
to the list, and this perhaps also deserves a separate
thread.)

>>> * Internet users want it - clear demand
>>
>> That claim keeps being made but I've never seen any serious
>> documentation for it.
>
> Marketing people want it -- that may not be documented but I have
> sufficient anecdotes to hand to believe it be the main driver here.

I'd be interested in some kind of verifiable backup
for that "clear demand" claim - I'm unaware that
such exists, other than perhaps as Richard says for
marketing purposes, and ISTM those purposes are amply
met already via mail bodies.

Meanwhile...

I use the Internet. I do not want logos added to mail
headers that increase the attack surface of my MUAs,
(and MS/MTAs), that likely enable additional tracking
of mail users, including me, and where mobile device
and web MUAs are unlikely to offer me an option to
turn all that off, even if some desktop MUAs might
(eventually), at the risk of making messages harder
to comprehend.

I also just do not want to see your logos, thanks.
Imposing those on me would decrease the utility of
mail. And regardless of what PKI were built I would
not treat bimi'd messages any better, more likely
I'd consider them badly.

As someone who sends email (not as a bulk sender)
from various domains that I operate, I do not want
to pay €€€ to someone for an additional cert, nor
for an "approved" logo, in order to increase the
chances that my mail gets delivered. Things in that
respect are bad enough, and this proposal seems to
me likely to only worsen the situation for those
who operate small domains, presumably to the benefit
of those who operate large mail infrastructures
and CAs who issue certs for money.

I also do not want to have to check if someone else
has abused a logo I may use in some CT log. I do
not want to have to process additional headers in my
MTAs nor retrieve and store your logos in some new
image store. I do not want to have to deal with any
of the new problems that'll arise when any of that
breaks.

So: No thanks, from me. Personally, as a mail user
I only see downsides to this whole idea.

Thanks,
S.