IETF Logo Mail Archive

Re: [Bimi] (non)desire for bimi

Dave Crocker <dhc@dcrocker.net> Thu, 14 February 2019 18:35 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3418913104C for <bimi@ietfa.amsl.com>; Thu, 14 Feb 2019 10:35:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dcrocker.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6VOJwqCcPKO for <bimi@ietfa.amsl.com>; Thu, 14 Feb 2019 10:35:33 -0800 (PST)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4F8F12D829 for <bimi@ietf.org>; Thu, 14 Feb 2019 10:35:33 -0800 (PST)
Received: from [192.168.1.168] (76-218-8-128.lightspeed.sntcca.sbcglobal.net [76.218.8.128]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x1EIaqen023380 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 14 Feb 2019 10:36:52 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1550169413; bh=2C+/rzYT0tPxB5zraL3AcD0FWxdFbygsJJYbAhvQyKU=; h=Subject:To:References:From:Cc:Reply-To:Date:In-Reply-To:From; b=AK1rQKPNFJIwoaan2SRqk4bzMjaGCURN1Ysyt0H9e/tgcNdw1i0jaCocXMHlzorg+ 7u+V2fejzVb2fW7tnPavBMrWXV7FHRbp8uBsKF22ffocTbr1coiu5Ab68scZGSQ5ja 34rUNQ0bQlZ9HGOk57x5caJ4KOMUSYS66ZIdPrKE=
To: Terry Zink <tzink=40terryzink.com@dmarc.ietf.org>
References: <20190214175243.950C2200E509D1@ary.qy> <aac6ca77-a8f7-7628-fc0d-18ab616659f2@dcrocker.net> <BL0PR11MB3107E380194F10A297485BBCA9670@BL0PR11MB3107.namprd11.prod.outlook.com>
From: Dave Crocker <dhc@dcrocker.net>
Cc: "bimi@ietf.org" <bimi@ietf.org>
Reply-To: dcrocker@bbiw.net
Organization: Brandenburg InternetWorking
Message-ID: <b52b05d3-9c25-fdf5-32c2-e39b5dc0f6d8@dcrocker.net>
Date: Thu, 14 Feb 2019 10:35:22 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <BL0PR11MB3107E380194F10A297485BBCA9670@BL0PR11MB3107.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/ikhD1gCvpzqTk4obzGfkW0p7XGA>
Subject: Re: [Bimi] (non)desire for bimi
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 18:35:36 -0000

On 2/14/2019 10:23 AM, Terry Zink wrote:
> Thanks John, and Dave.
> 
>> 1. An axiom in usability research is to not treat developers or
>> researchers as subjects (unless they really are the target audience.) 
>> In terms of cognitive detail and usage style, such folk differ 
>> substantially from the general user population.
>> 
>> Simply put, you or I or John do not matter in this calculus.  We are the
>> essence of a biased sample...
> 
> I agree, which is why I said earlier that I am not representative of the 
> entire space.

Except that you only cited yourself and then said "How does this not 
show demand?"  You started with "To me, it seems intuitively obvious."

If there is anything in usability design that would qualify as speech of 
the devil, that sentence probably qualifies.

Usability design often needs to make choice that goes exactly against 
what is "intuitive" to one person or another.  By way of example, there 
is a common view that giving end users more information is always a good 
thing, but this flies in the face of well-understood cognitive limits.



> Yes, there are some people that don't like this type of UX. And with 
> BIMI, you'll still be able to use the same software that doesn't show 
> images, HTML, sender photos, etc. There's no change there.

This is another fundamental usability design error:  thinking that 
adding something is fine because users can turn it off.  This burdens 
users, and often creates a barrier because they don't know how to fix it 
or even that they can.


>> It makes it in effect another web bug.
> 
> Hmm...
> 
> That heavily depends upon implementation. A web bug, as I understand it, 
> helps to track user behavior - did the user open up my mail? While I 
> concede that BIMI could be used this way, it's not a particularly 
> effective way to do it.

So you are countering a security concern by saying that we should not 
worry about it because there are other vectors you consider better?

This suggests that additional attack vectors aren't to be worried 
aboout, as long as easier ones are available?


> Most large receives wouldn't serve up a BIMI logo from the actual 
> location pointed to by headers/DNS records each time they needed it. 

I don't understand how this point is relevant to the underlying concern.

How is a statement predicated on "most" a useful security concern 
counter?  It almost sounds as if systems not part of that 'most' don't 
matter...


d/
-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email