Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 09 February 2019 16:53 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41FE0129524 for <spasm@ietfa.amsl.com>; Sat, 9 Feb 2019 08:53:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6JR0GpduJRz for <spasm@ietfa.amsl.com>; Sat, 9 Feb 2019 08:53:01 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DB5C1200ED for <spasm@ietf.org>; Sat, 9 Feb 2019 08:53:00 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B7DD8BE38; Sat, 9 Feb 2019 16:52:57 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkuHm2DM0wWT; Sat, 9 Feb 2019 16:52:53 +0000 (GMT)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C3943BE2E; Sat, 9 Feb 2019 16:52:52 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1549731172; bh=P68ESU9HWWtnDbUDaSRNgDsVwDN+HdVFmN/buUR3POU=; h=Subject:To:References:From:Date:In-Reply-To:From; b=wPbgWcpdzLrTDHzOLuUco1Ubbk8gxd7rMxf4pGhV+6unPD8x1OjNbxYI9a+OB/ThV 2B6zBXal0maoS1/YpZyRS2muo3Xfh7PsLiJC6zbNVKjlRbAzZY1ccbsVzLq1x1+6Q7 ovTKQThijgqbRgMcr4H8EWvte5B03tdoNUZyr+14=
To: Wei Chuang <weihaw=40google.com@dmarc.ietf.org>, SPASM <spasm@ietf.org>
References: <CAD2i3WMP=-id4aCexu71fXRiVkdN3L6v5p7E1yJVRAwk0vmkfA@mail.gmail.com> <CAAFsWK2kUpHjGSo53=gOLrzFbnA6rqsGwyB6TyeK4xBKN=VmQw@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie>
Date: Sat, 09 Feb 2019 16:52:51 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CAAFsWK2kUpHjGSo53=gOLrzFbnA6rqsGwyB6TyeK4xBKN=VmQw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="JUA5ds8fPePPG0izrtuN8XVtckOU6hEEZ"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Dtg19iQCQmrD3TBbRdCabHnWE3c>
Subject: Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2019 16:53:05 -0000
I've not yet subscribed to that bimi list but... As a user of email I do not want more crap in messages that user agents might de-reference thereby increasing how much I am tracked and my devices' attack surfaces. So my starting position is that I need to be convinced bimi is not just a bad idea. S. On 09/02/2019 16:36, Wei Chuang wrote: > Hi all, > > I'm cross posting to the LAMPS mailing list for visibility, that there is a > new mailing list for Brand Indicators for Message Identification (BIMI) > which allows for logos to be displayed by an email recipient. This is of > interest to LAMPS since a secured part of the specification uses X.509/PKIX > certificates to carry these logos and assert a 3rd party validation. A > while back, I posted here a draft requesting a new certificate Extended Key > Usage value to distinguish these logo carrying certificate which linked > below. Also described below is the validation procedure for the > certificate based on web Extended Validation (EV) but built upon to handle > the logo validation. I also have a security justification document that I > hope to turn into an IETF informational draft that will help justify the > security of the logo and other information carried in the certificate. We > look forward to your comments and questions on the BIMI list. > https://www.ietf.org/mailman/listinfo/bimi > > -Wei > > ---------- Forwarded message --------- > From: Seth Blank <seth@sethblank.com> > Date: Wed, Feb 6, 2019 at 12:11 PM > Subject: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt > To: <bimi@ietf.org> > > > I've uploaded two documents as I-Ds to kick off IETF discussions around > BIMI. Both these documents need a good deal of work, but are ready for > public discussion. > > For BIMI publishing and usage: > - https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > - https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00 > > For logo validation: > - https://tools.ietf.org/html/draft-chuang-bimi-certificate-00 > - > https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w/edit?usp=sharing > > At a high level, these documents have several issues to be worked through: > > 1) The intent is for this to be globally accessible to any domain owner, > but the current mechanisms are more approachable to larger organizations in > first world countries > a) We need a discussion of what other validation mechanisms could work > at scale (our expectation is to have several, signposted weakly in the > draft) > b) We need a way to properly reflect this in the proposed a= tag > > 2) BIMI is NOT a new authentication mechanism, nor does it make ANY claims > about user security or trust in the inbox. However, in places this draft > may be unclear. How do we make this clearer while still explaining why > standardizing this process is important, without crossing the line into UX > or trust, of which BIMI is neither? > > 3) Right now, security surrounding logos is limited to SVGs per > https://tools.ietf.org/html/rfc6170#section-5.2. There's clearly more > that's needed here, especially against attacks that rely on steganography > or resizing vectors, etc. > > 4) Other nits for draft-blank-ietf-bimi: > > a) The structure needs work, as do the Introduction and Overview > b) Some of the technical construction feels like it could be > dramatically simplified > c) Section 8.2 mentions hashes with no definition or clarity > d) The uses of MTA, MUA, and Mail Receiver feel like they overlap each > other left and right > i) And the document is heavily focused on larger receivers where > this distinction is clear, but doesn't give any thought to other receiving > architectures at all, especially mail clients that are the entire stack > > Several authors of these documents will be in Prague, we're looking forward > to the conversations over the next few weeks and face to face! > > Seth > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: Wed, Feb 6, 2019 at 11:11 AM > Subject: New Version Notification for draft-blank-ietf-bimi-00.txt > > > A new version of I-D, draft-blank-ietf-bimi-00.txt > has been successfully submitted by Seth Blank and posted to the > IETF repository. > > Name: draft-blank-ietf-bimi > Revision: 00 > Title: Brand Indicators for Message Identification (BIMI) > Document date: 2019-02-06 > Group: Individual Submission > Pages: 26 > URL: > https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt > Status: https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/ > Htmlized: https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > Htmlized: https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi > > > Abstract: > Brand Indicators for Message Identification (BIMI) permits Domain > Owners to coordinate with Mail User Agents (MUAs) to display brand- > specific Indicators next to properly authenticated messages. There > are two aspects of BIMI coordination: a scalable mechanism for Domain > Owners to publish their desired indicators, and a mechanism for Mail > Transfer Agents (MTAs) to verify the authenticity of the indicator. > This document specifies how Domain Owners communicate their desired > indicators through the BIMI assertion record in DNS and how that > record is to be handled by MTAs and MUAs. The domain verification > mechanism and extensions for other mail protocols (IMAP, etc.) are > specified in separate documents. MUAs and mail-receiving > organizations are free to define their own policies for indicator > display that makes use or not of BIMI data as they see fit. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Fwd: [Bimi] New Version Notification for … Wei Chuang
- Re: [lamps] Fwd: [Bimi] New Version Notification … Stephen Farrell
- Re: [lamps] Fwd: [Bimi] New Version Notification … Wei Chuang
- Re: [lamps] Fwd: [Bimi] New Version Notification … Stephen Farrell
- Re: [lamps] Fwd: [Bimi] New Version Notification … Wei Chuang