Re: [Bimi] Today's BoF
John C Klensin <john-ietf@jck.com> Tue, 02 April 2019 21:03 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7132A1201D5 for <bimi@ietfa.amsl.com>; Tue, 2 Apr 2019 14:03:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9WL4SRNN6P9U for <bimi@ietfa.amsl.com>; Tue, 2 Apr 2019 14:03:08 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F6D7120077 for <bimi@ietf.org>; Tue, 2 Apr 2019 14:03:08 -0700 (PDT)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1hBQYk-0005RH-Fl; Tue, 02 Apr 2019 17:03:06 -0400
Date: Tue, 02 Apr 2019 17:02:54 -0400
From: John C Klensin <john-ietf@jck.com>
To: John Levine <johnl@taugh.com>
cc: bimi@ietf.org
Message-ID: <6D3D29C7AE7A951D108A697E@PSB>
In-Reply-To: <20190402195409.7C6FA201144B7C@ary.qy>
References: <20190402195409.7C6FA201144B7C@ary.qy>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/ieU3gWOlK_3FPg-ZecAfCxGBL24>
Subject: Re: [Bimi] Today's BoF
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 21:03:11 -0000
--On Tuesday, April 2, 2019 15:54 -0400 John Levine <johnl@taugh.com> wrote: > In article <DD71F5FAA85F312FDB5EF7E4@PSB> you write: >> ... So someone comes >> along, someone who is clearly not BigCo, and obtains >> BigCo.evil (remember, all they need is ability to pay and an >> email address). They have little trouble obtaining >> certificates in that name because, as far as the DNS >> environment is concerned, they legitimately hold it. > > Nobody is assuming that you can get a bimi cert (or whatever) > merely with a domain name similar to the target trademark. Understood. However, unless just about every MUA in the world was upgraded to understand the difference between a bimi link and cert, I can't imagine a typical user being able to tell the difference between a bimi-blessed logo (or whatever) and the same logo presented via some other mechanism. If I correctly understood last week's discussion, bimi is dependent on mechanisms, including DKIM/SPF/DMARC that are, unless I'm missing something, dependent in turn on some assumptions about binding of the identity of a domain name holder with the domain name. My point was one cannot push those assumptions very hard without running into questions of registrar integrity and what it means to own (or hold) a domain name. And, before you tell me that, statistically, everyone is using web interfaces and MUAs don't count and/or that statistically everyone is using one of those gorilla systems so it is reasonable to ignore the deployment issues for the tiny minority of people who are left, I suggest that a corollary to those conclusions is that a code of common practices among said gorillas and an advertising campaign to try to convince people that they would much safer if they didn't communicate with, or accept mail from, anyone who was not using a gorilla system. Of course that approach would have interesting antitrust implications, but that, statistically, has not be a problem yet, so why worry? :-( > I > gather that one of the gorillas accidentally made this mistake > in their informal logo collection system and a motivation for > bimi is to keep it from happening again. If one conbines that sentence with the "Nobody is assuming..." one above, then a motivation for bimi is to cure (or prevent) stupidity. Perhaps it will work this time, but the track record of other efforts to apply such cures has not been good. > Of course this returns us to the major question of whether it's > possible to invent an effective system to check bimi > applications. I could invent one that involved a staff of > trademark lawyers, but I don't think anyone outside the S&P > 500 would find that usable. Indeed. best, john
- [Bimi] Today's BoF John C Klensin
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Dave Crocker
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Dave Crocker
- [Bimi] Laches (was: Today's BoF) Richard Clayton
- Re: [Bimi] Today's BoF John C Klensin
- Re: [Bimi] Today's BoF John Levine
- Re: [Bimi] Today's BoF John C Klensin
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Richard Clayton
- Re: [Bimi] Laches (was: Today's BoF) Wei Chuang
- Re: [Bimi] Laches Dave Crocker
- Re: [Bimi] Laches John Levine
- Re: [Bimi] Laches Dave Crocker
- Re: [Bimi] Today's BoF Wei Chuang