Re: [Bimi] Today's BoF
John C Klensin <john-ietf@jck.com> Tue, 02 April 2019 18:26 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA08120178 for <bimi@ietfa.amsl.com>; Tue, 2 Apr 2019 11:26:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NOxM2T9az3J8 for <bimi@ietfa.amsl.com>; Tue, 2 Apr 2019 11:26:39 -0700 (PDT)
Received: from bsa2.jck.com (ns.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7DEE120167 for <bimi@ietf.org>; Tue, 2 Apr 2019 11:26:39 -0700 (PDT)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1hBO7J-0005FJ-UC; Tue, 02 Apr 2019 14:26:37 -0400
Date: Tue, 02 Apr 2019 14:26:25 -0400
From: John C Klensin <john-ietf@jck.com>
To: Wei Chuang <weihaw@google.com>
cc: bimi@ietf.org
Message-ID: <DD71F5FAA85F312FDB5EF7E4@PSB>
In-Reply-To: <CAAFsWK3uhFfeEt34wRJRQen1YVK4uNo=nxJoaGc4m84Y1J+ctQ@mail.gmail.com>
References: <309EBD4AD64BE436663E721D@PSB> <CAAFsWK3uhFfeEt34wRJRQen1YVK4uNo=nxJoaGc4m84Y1J+ctQ@mail.gmail.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/v1RERgq8pZLyRY595ky_R0XrqLs>
Subject: Re: [Bimi] Today's BoF
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 18:26:42 -0000
Wei, Two observations on separate notes... --On Sunday, March 31, 2019 16:48 -0700 Wei Chuang <weihaw@google.com> wrote: >... > My worry, as Dave Crocker's recent message on BIMI highlights, > is that these domain based authentication methods depend on > the integrity of DNS, and apparently there's now viable > attacks on DNS (The Route 53/BGP hijack is another). Perhaps > this proposal needs to take into account such DNS attacks now > rather than later. >... There are two other, far more fundamental and closely related, issues with domain-based authentication that I don't think the BIMI proposal addresses. We've now got somewhat more than 1500 top level domains. For a significant fraction of them (I'd guess the vast majority) there are only two qualifications for obtaining a second-level domain under that TLD: ability to pay what is usually a fairly nominal amount and a working email address. Typical contracts between a TLD operator and the buyer of an SLD transfer all responsibility for obedience to, or violation of, trademark laws to the latter. There is, in general, no requirement for the TLD to pay any attention to whether a proposed SLD name would infringe on a trademark, even an internationally well-known one, and considerable incentive for them not to do so. So assume you have a company who holds a registered trademark and associated domain name as, e.g., BigCo.co.uk. They have all of the right certificates and bind a logo to that domain. Now let's assume that a party comes along who wants to attack BigCo and its logo. Rather than pointing the finger at existing domains, assume that a TLD names "evil" is allocated and delegated in the near future and that their business model was a little ethics-challenged (perhaps not much more than the average, but that is not an important issue). So someone comes along, someone who is clearly not BigCo, and obtains BigCo.evil (remember, all they need is ability to pay and an email address). They have little trouble obtaining certificates in that name because, as far as the DNS environment is concerned, they legitimately hold it. They send mail out from that address using BigCo's logo, either embedded or via some URL. So, think the users will notice the logo does not have your seal of approval and that the domain is in "evil." rather than "co.uk."? See the problem? Of course, BigCo can attempt to use the courts and/or ICANN procedures to challenge BigCo.evil on the grounds of infringement of their registered trademark, but there are two problems with that. One is that such challenges take a while and are typically easily dragged out so that, by the time they win and BigCo.evil is taken down, significant damage has been done already and the operators of BigCo.evil are laughing all the way to the bank. The other is the second basic problem. With the possible exception of a relatively small number of internationally well-known / famous names and marks, registered trademarks are tied to both geography and field of application. If BigCo.co.uk sells widgets and BigCo.us makes blankets for wizzles, there is most likely no trademark violation and both companies may be completely legitimate (unlike the example above), have the marks appropriately registered, and are able to obtain even the highest assurance certificates possible --different jurisdictions and business locations and different fields of application. Even if both selected logos that were very similar, trademarks wouldn't help much. As Dave said, people have been working on these issues for well over a century with very little discernable progress. I can't recommend holding your breathe about the latter problem and, even if it were solved, that would still leave the nature of the domain name market. best, john
- [Bimi] Today's BoF John C Klensin
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Dave Crocker
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Dave Crocker
- [Bimi] Laches (was: Today's BoF) Richard Clayton
- Re: [Bimi] Today's BoF John C Klensin
- Re: [Bimi] Today's BoF John Levine
- Re: [Bimi] Today's BoF John C Klensin
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Wei Chuang
- Re: [Bimi] Today's BoF Richard Clayton
- Re: [Bimi] Laches (was: Today's BoF) Wei Chuang
- Re: [Bimi] Laches Dave Crocker
- Re: [Bimi] Laches John Levine
- Re: [Bimi] Laches Dave Crocker
- Re: [Bimi] Today's BoF Wei Chuang