Re: [Bimi] BIMI & the MUA
Taavi Eomäe <taavi@zone.ee> Tue, 05 September 2023 11:52 UTC
Return-Path: <taavi@zone.ee>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74E72C14CE3B for <bimi@ietfa.amsl.com>; Tue, 5 Sep 2023 04:52:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.198
X-Spam-Level:
X-Spam-Status: No, score=-7.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zone.ee
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qRcog8GbtLys for <bimi@ietfa.amsl.com>; Tue, 5 Sep 2023 04:52:42 -0700 (PDT)
Received: from MTA-244-117.TLL07.ZONEAS.EU (mta-244-117.tll07.zoneas.eu [85.234.244.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9935AC14CEF9 for <bimi@ietf.org>; Tue, 5 Sep 2023 04:52:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zone.ee; q=dns/txt; s=zone; bh=WWdqHyNKeO5fR+TmXfGadunapsWOftrNp/tChk/QFy4=; h=from:subject:date:message-id:to:mime-version:content-type:in-reply-to:references; b=O1aBKs1pi4FIHxKIgMp/x1edI/NNepdYE6wyT6QGv34GYptHeuN5okBvBWfIPStqnVlvYNy2v lbMN7JvolJa8S3ccsvaSGnf/jG9gLCrD8FGLYUUEaut/zkKSdKUqNTh3L/30r/CmR2jAmw7JKP4 8XH7TC8rdHXqlPkQz6YDM44MgI4TB/2J1HN5OYi98Y7m/NKhP0nOe8S+YkBHRZRX5zDMMupj0qy Hie6ahgSDwCkp3Fo9FmJOc6pbp6JGoDz2/47E42PDRMKwBSMQYkPSJ3jZhUytJDgtjOu1aSVLk+ 6TaTWL4UX+KnljEhUwjJ4aSA7cr4r1jDY4xkjNOZtx0Q==
Received: from [192.168.110.11] [217.146.66.6] (Authenticated sender: zmail526721[taavi@zone.ee]) by MTA-244-117.TLL07.ZONEAS.EU (ZoneMTA Forwarder) with ESMTPSA id 18a652ff1350005f22.001 for <bimi@ietf.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 05 Sep 2023 11:52:35 +0000
Message-ID: <5a3abe26-cb49-5350-0abd-a106125fb087@zone.ee>
Date: Tue, 05 Sep 2023 14:52:33 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
Content-Language: en-US
To: bimi@ietf.org
References: <MN2PR11MB43512B68983A21E6B546E0BDF7EAA@MN2PR11MB4351.namprd11.prod.outlook.com>
From: Taavi Eomäe <taavi@zone.ee>
Organization: Zone Media OÜ
In-Reply-To: <MN2PR11MB43512B68983A21E6B546E0BDF7EAA@MN2PR11MB4351.namprd11.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040001020304080400070808"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/pQGkMBex8oWuHUW49Qx3wuvkGRA>
Subject: Re: [Bimi] BIMI & the MUA
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Sep 2023 11:52:47 -0000
Hi, The draft RFC (draft-brotman-bimi-mua-00) seems to add a very significant amount of complexity to the BIMI process with no clear benefit. This additional complexity can introduce vulnerabilities, implementation inconsistencies and would cause additional resource usage in both MTAs and MUAs. If it is implemented at all, considering the complexity. Using DNS as a key-value store is also quite wasteful (especially with DNSSEC) if not simply abuse or misuse of DNS. Such DNS usage also introduces additional risks, especially if you take into account how rare (O)DoH(3) or DoT is. Inherently the MUA has to trust that the MTA that received the letter. Thus simply looking at Authentication-Results and if it contains "bimi=pass", should be sufficient for the MUA. The VMC itself contains expiration, if that's important to the MUA. If there is a need for faster revocation, looking into OCSP would be a better choice. If one of the goals is to further cache logos (and to increase privacy), instead of the massive "BIMI-Receiver-Signature" header, the logo's base64 could be added for the MUA. For example "BIMI-Logo". It should be noted that we (Zone Media OÜ) are maintaining and developing a web-based MUA that currently supports BIMI <https://bimigroup.org/bimi-infographic/>. (In addition to our own MTA and MSA.) Alternative approaches should be heavily considered instead of this draft RFC. Best Regards, Taavi Eomäe Zone Media OÜ
- [Bimi] BIMI & the MUA Brotman, Alex
- Re: [Bimi] BIMI & the MUA Taavi Eomäe
- Re: [Bimi] BIMI & the MUA Brotman, Alex
- Re: [Bimi] BIMI & the MUA Taavi Eomäe
- Re: [Bimi] BIMI & the MUA Marc Bradshaw
- Re: [Bimi] BIMI & the MUA Taavi Eomäe
- Re: [Bimi] BIMI & the MUA Brotman, Alex
- Re: [Bimi] BIMI & the MUA Brotman, Alex