Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt
Wei Chuang <weihaw@google.com> Sat, 09 February 2019 19:05 UTC
Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA7C71294FA for <spasm@ietfa.amsl.com>; Sat, 9 Feb 2019 11:05:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1mTPsW17FcWS for <spasm@ietfa.amsl.com>; Sat, 9 Feb 2019 11:05:29 -0800 (PST)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E06A2126D00 for <spasm@ietf.org>; Sat, 9 Feb 2019 11:05:28 -0800 (PST)
Received: by mail-yb1-xb2b.google.com with SMTP id o81so2762604yba.8 for <spasm@ietf.org>; Sat, 09 Feb 2019 11:05:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dXSuDYgIMpdem+Pa+6hatp5vesFa4s8T9SYwskKh0l0=; b=d2nw9lwjzaO4+/unm62tizgkFhResnYHAIFrtFKKnSZaqCNEtvPnPP0TkVS2LiRl3H 57McB8eBOKzANfXgo84DteMFJFkc+rVn4Oi8eTmNdMPLA3j0WWuAg1bGG7EUW/C/96Gk y+xbYJH7KLgihG00/jYo6ui5rX5PPn/If534yp5WDHHwndwJ5u1n2wXIxzP8gSSHovOJ PIxDPRnGmBdHaH+25MjhjemyGtZri3JDLEd0ga5RA3vesXjprKAQs9Aj2ofYu7jv11EE GA2SupKylPhKnlaO/v+5hpwNxnMZWc7/XM/9J30G4P+X7c/UL5Lb2RJYOfXmZbqhoyqa 7YCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dXSuDYgIMpdem+Pa+6hatp5vesFa4s8T9SYwskKh0l0=; b=Ic34QpC4MhIr/a8UVXunGRtihm+Pxvdla6UyAF8kxrJBIK8ZIeUlRtyXx1b4lHJbaN jskt0yHOqYmF3X1YpMRCmcB23U0YsbqTtespq+PQrk90LJcKOQkD6G+iNtp5bmS/jrx/ dJs4SeiFXBY6llnA+eYOjndIJRLQEFC8Gqh3WY8TlBR9lxa6LY08htvGoD+P7k2uORdH nVt6thjPgBJmfBS76wQ1js/zmSZVrvVwFQcxQMkMcAoDysMJLNXEvcuyr/sJir3wM9cj m6AbGKsa7BTn3paGP6ZKXnusUZ625Bu75zUe2XSPcPyGsz4e/L7uS/OxaGPEnAOI0ID1 PhBQ==
X-Gm-Message-State: AHQUAuamR93NQ4kTQgah/SoMc+oB/FZe7jjuT1EJ3lSO6zh8vCDfQ+JO kgbRN5jKPnIbg/XFGPEIMoSTy1fL0Wb1aXGQbWjlPmxDbw0=
X-Google-Smtp-Source: AHgI3IZgaW1d3H02KgjCWMgnv0WB1QEsU1HATZrBMgNfPL5xTsxcMqgXSnEfZHOdqcDlXKzVTUStxmu3hbgWAn2Utgg=
X-Received: by 2002:a25:2008:: with SMTP id g8mr22533059ybg.167.1549739125846; Sat, 09 Feb 2019 11:05:25 -0800 (PST)
MIME-Version: 1.0
References: <CAD2i3WMP=-id4aCexu71fXRiVkdN3L6v5p7E1yJVRAwk0vmkfA@mail.gmail.com> <CAAFsWK2kUpHjGSo53=gOLrzFbnA6rqsGwyB6TyeK4xBKN=VmQw@mail.gmail.com> <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie>
In-Reply-To: <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie>
From: Wei Chuang <weihaw@google.com>
Date: Sat, 09 Feb 2019 11:05:12 -0800
Message-ID: <CAAFsWK2rtbmT=+KhGBWDJYd84GzsAHnH_QSVPUDL4Lx27Fv0ag@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: SPASM <spasm@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000271ed105817ac212"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/cf-jmY5tOx-zIdklMyfLGdp9YqY>
Subject: Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2019 19:05:34 -0000
It is intended to support privacy, though it is up to email providers and clients to do the right thing. It uses certificates that carry the logo (and other identity information) and assert 3rd party validation without interacting with another server. Our intent is that these certificates are meant to be fetched at delivery and stored by email provider for the client, though such a fetch could be done by the client at use. Along those lines, for revocation checks, the guidelines requires that CAs to provide CRLs though OCSPs are allowed. -Wei On Sat, Feb 9, 2019 at 8:53 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > I've not yet subscribed to that bimi list but... > > As a user of email I do not want more crap in messages that > user agents might de-reference thereby increasing how much > I am tracked and my devices' attack surfaces. So my starting > position is that I need to be convinced bimi is not just a > bad idea. > > S. > > On 09/02/2019 16:36, Wei Chuang wrote: > > Hi all, > > > > I'm cross posting to the LAMPS mailing list for visibility, that there > is a > > new mailing list for Brand Indicators for Message Identification (BIMI) > > which allows for logos to be displayed by an email recipient. This is of > > interest to LAMPS since a secured part of the specification uses > X.509/PKIX > > certificates to carry these logos and assert a 3rd party validation. A > > while back, I posted here a draft requesting a new certificate Extended > Key > > Usage value to distinguish these logo carrying certificate which linked > > below. Also described below is the validation procedure for the > > certificate based on web Extended Validation (EV) but built upon to > handle > > the logo validation. I also have a security justification document that > I > > hope to turn into an IETF informational draft that will help justify the > > security of the logo and other information carried in the certificate. > We > > look forward to your comments and questions on the BIMI list. > > https://www.ietf.org/mailman/listinfo/bimi > > > > -Wei > > > > ---------- Forwarded message --------- > > From: Seth Blank <seth@sethblank.com> > > Date: Wed, Feb 6, 2019 at 12:11 PM > > Subject: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt > > To: <bimi@ietf.org> > > > > > > I've uploaded two documents as I-Ds to kick off IETF discussions around > > BIMI. Both these documents need a good deal of work, but are ready for > > public discussion. > > > > For BIMI publishing and usage: > > - https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > > - https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00 > > > > For logo validation: > > - https://tools.ietf.org/html/draft-chuang-bimi-certificate-00 > > - > > > https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w/edit?usp=sharing > > > > At a high level, these documents have several issues to be worked > through: > > > > 1) The intent is for this to be globally accessible to any domain owner, > > but the current mechanisms are more approachable to larger organizations > in > > first world countries > > a) We need a discussion of what other validation mechanisms could work > > at scale (our expectation is to have several, signposted weakly in the > > draft) > > b) We need a way to properly reflect this in the proposed a= tag > > > > 2) BIMI is NOT a new authentication mechanism, nor does it make ANY > claims > > about user security or trust in the inbox. However, in places this draft > > may be unclear. How do we make this clearer while still explaining why > > standardizing this process is important, without crossing the line into > UX > > or trust, of which BIMI is neither? > > > > 3) Right now, security surrounding logos is limited to SVGs per > > https://tools.ietf.org/html/rfc6170#section-5.2. There's clearly more > > that's needed here, especially against attacks that rely on steganography > > or resizing vectors, etc. > > > > 4) Other nits for draft-blank-ietf-bimi: > > > > a) The structure needs work, as do the Introduction and Overview > > b) Some of the technical construction feels like it could be > > dramatically simplified > > c) Section 8.2 mentions hashes with no definition or clarity > > d) The uses of MTA, MUA, and Mail Receiver feel like they overlap each > > other left and right > > i) And the document is heavily focused on larger receivers where > > this distinction is clear, but doesn't give any thought to other > receiving > > architectures at all, especially mail clients that are the entire stack > > > > Several authors of these documents will be in Prague, we're looking > forward > > to the conversations over the next few weeks and face to face! > > > > Seth > > > > ---------- Forwarded message --------- > > From: <internet-drafts@ietf.org> > > Date: Wed, Feb 6, 2019 at 11:11 AM > > Subject: New Version Notification for draft-blank-ietf-bimi-00.txt > > > > > > A new version of I-D, draft-blank-ietf-bimi-00.txt > > has been successfully submitted by Seth Blank and posted to the > > IETF repository. > > > > Name: draft-blank-ietf-bimi > > Revision: 00 > > Title: Brand Indicators for Message Identification (BIMI) > > Document date: 2019-02-06 > > Group: Individual Submission > > Pages: 26 > > URL: > > https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt > > Status: https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/ > > Htmlized: https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > > Htmlized: > https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi > > > > > > Abstract: > > Brand Indicators for Message Identification (BIMI) permits Domain > > Owners to coordinate with Mail User Agents (MUAs) to display brand- > > specific Indicators next to properly authenticated messages. There > > are two aspects of BIMI coordination: a scalable mechanism for Domain > > Owners to publish their desired indicators, and a mechanism for Mail > > Transfer Agents (MTAs) to verify the authenticity of the indicator. > > This document specifies how Domain Owners communicate their desired > > indicators through the BIMI assertion record in DNS and how that > > record is to be handled by MTAs and MUAs. The domain verification > > mechanism and extensions for other mail protocols (IMAP, etc.) are > > specified in separate documents. MUAs and mail-receiving > > organizations are free to define their own policies for indicator > > display that makes use or not of BIMI data as they see fit. > > > > > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > The IETF Secretariat > > > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://www.ietf.org/mailman/listinfo/spasm > > >
- [lamps] Fwd: [Bimi] New Version Notification for … Wei Chuang
- Re: [lamps] Fwd: [Bimi] New Version Notification … Stephen Farrell
- Re: [lamps] Fwd: [Bimi] New Version Notification … Wei Chuang
- Re: [lamps] Fwd: [Bimi] New Version Notification … Stephen Farrell
- Re: [lamps] Fwd: [Bimi] New Version Notification … Wei Chuang