IETF Logo Mail Archive

Re: [Bimi] (non)desire for bimi

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 18 February 2019 21:47 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C2D131056 for <bimi@ietfa.amsl.com>; Mon, 18 Feb 2019 13:47:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rp78xufGKtwV for <bimi@ietfa.amsl.com>; Mon, 18 Feb 2019 13:47:06 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED4AE131051 for <bimi@ietf.org>; Mon, 18 Feb 2019 13:47:05 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 5433BBE47; Mon, 18 Feb 2019 21:46:59 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAc0SrPCMbKR; Mon, 18 Feb 2019 21:46:57 +0000 (GMT)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A09FBBE2F; Mon, 18 Feb 2019 21:46:57 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1550526417; bh=vW7owyqNbyRagDnrQug/yRPMRPNPOjZ6G1Ssnuz6920=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=z/jLpqx07pHsppOjXYlj//x0xxGt73Ej0PUdlqaaZVOII5gh1XBxNFLstxNrABrfI DKxnAUFhYxB/DYsX+LhCp4WkInL3ezEMg9dFXFhz3p4B4ZQ3RfzDvw+YAgyj3IEYLE WcAY0/N5vmr/EdgBrjCXI/e/s/dpwij/jJzn2vVY=
To: Thede Loder <thede=40skyelogicworks.com@dmarc.ietf.org>, Terry Zink <tzink@terryzink.com>
Cc: "bimi@ietf.org" <bimi@ietf.org>
References: <aa919aeb-caa1-6494-259d-a553b238c268@cs.tcd.ie> <BL0PR11MB3107712FFFD2D92E911B909DA9670@BL0PR11MB3107.namprd11.prod.outlook.com> <17a79377-587a-c1fa-5927-23712ef15227@cs.tcd.ie> <751D273E-3813-442C-98C4-BC0212093E37@skyelogicworks.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <aba5f514-e9aa-4523-b158-912f984fff4c@cs.tcd.ie>
Date: Mon, 18 Feb 2019 21:46:56 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <751D273E-3813-442C-98C4-BC0212093E37@skyelogicworks.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="YmvDVwTr3wPEM6iZJWi0HrA80lbVmMTMO"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/uUVkrkO9O_S4oWw_TkFFnPU1N2w>
Subject: Re: [Bimi] (non)desire for bimi
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2019 21:47:09 -0000

Hiya,

Answering 3 mails at once..

On 18/02/2019 16:31, Thede Loder wrote:
> Hi Stephen,
> 
> Knowing your personal dislike of HTML-based email, and also that ~1
> billion people read HTML email messages each day, many of whom like
> seeing graphics, tables, and other mark up, would you have proposed
> back when it was being considered for standardiation that it should
> never be developed or standardized?

I don't recall details of when HTML body parts were standardised.
I do consider that blindly running random code from the Internet
as a default is one of the worst errors that web and mail user
agent developers have made in the last two decades. We are still
discovering some of the non-obvious consequences (Spectre etc.)

I am happy to be tech savvy to know that I can, and how to, turn
that down to something acceptable, which I find entirely usable.
I'm sad that's not the default. I do maintain that the world would
be a little better were user agents much more conservative in how
they handle active content like HTML.

>> Yes I do indeed fear that bimi could and would be (ab)used by some
>> services to do more such dis-service. ISTM that damages the mail
>> environment rather than enhances it.
> 
> Your fear is justifiable.

I'm sad to hear that.

> If BIMI adoption contributes to a shift in the norms and certain
> costs associated with effectively using applicable existing media, on
> the balance, have we made these media better for the actors we care 
> about?

That's an unanswerable (and hence badly formed) question. A "shift in
norms" can be overall negative or not so "on the balance" can't be
answered, at least not as an answer to that question.

> Tracking is a concern and my personal take is that I’d like to see it
>  become either impractical or completely transparent (or both)?. Can
> someone from the Authindicators Working Group comment on Stephen’s
> interpretation?   Stephen, can you point us to a section?

Don't have time 'right now to re-read the various drafts sorry.
Logically though, adding a URL that gets de-referenced has to
be a new tracker, and hence is IMO bad. Supposed ways of avoiding
the MUA doing the de-referencing seem almost fictional as they
require all MDAs to have intercepted and replaced that URL to
avoid their MUAs doing so. I don't believe you can eliminate
that form of tracking unless you send the image inline. (Which'd
have other downsides is a very different design.)

I can't see how that tracking aspect could be a surprise to
anyone.

On 18/02/2019 18:03, Thede Loder wrote:>
> 
> Stephen, thanks for this reference.  While its technically possible
that a receiver
> might fetch a certificate at message-receipt time, receivers not
wishing to
> enable sender tracking have another straightforward option: they can
maintain
> access to the Certificate Transpareny logs, and therefore have a copy
> of every issued certificate (and their embedded list of FQDNs) and
> so
retrieve
> relevant contents without any outbound communication to the net.  In
practice,
> receivers might implement daily DNS checks, during which they lookup
> and confirm the current BIMI record for the set of domains known to
> be
publishing
> them, or to discover new ones that have begun doing so.

I have to say that seems pretty far-fetched (to put it kindly). But
if there's a more fleshed-out design I'd be interested in a pointer.
To poke at just one aspect, I've no idea what CT data structure you
are assuming is in a mail. If it's not e.g. an SCT or signed tree-head
then that seems to be nothing to do with CT and more that you seem
to be imagining a new image repository where images just happen to
be wrapped in X.509 cruft. Lastly, if the supposed CT-log/image-DB
is accessed by the MUA then that's the same tracking as before. If
you envisage the MDA doing that daily then that seems quite brittle
and unlikely (as before).

On 18/02/2019 18:37, Thede Loder wrote:
> 
> Can you tell me if you agree or disagree with the following
> statement?
> 
> "To say that facilitating the regular practice of displaying logos
> (as sender identity) can bring about positive effects is not the
> same as saying the positive effects are due to, for example,
> improved end user-mediated choices. “

I think that's a loaded question, sorry and I don't plan to take
the bait:-)

I continue to maintain that MUA UI design is relevant to this
discussion (which is unusual in an IETF context) and that I'm unaware
of evidence as to the claimed effects (good or bad) of displaying
graphics as proposed here. If no evidence is offered that such
graphics overall do good, then my conclusion is that this effort is
not worthwhile. (But that it is worthwhile opposing, as I do see
dangers, as well as costs, in what is proposed - sorry again;-)

If you or someone has some evidence that displaying these logos
has some overall positive effect, then sending a pointer to that
evidence would seem the obvious answer.

Cheers,
S.

v2.23.0 | Report a Bug | By Email