IETF Logo Mail Archive

[lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt

Wei Chuang <weihaw@google.com> Sat, 09 February 2019 16:36 UTC

Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790B31200ED for <spasm@ietfa.amsl.com>; Sat, 9 Feb 2019 08:36:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DcjhqIRHVCcK for <spasm@ietfa.amsl.com>; Sat, 9 Feb 2019 08:36:28 -0800 (PST)
Received: from mail-yw1-xc34.google.com (mail-yw1-xc34.google.com [IPv6:2607:f8b0:4864:20::c34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B44F12008A for <spasm@ietf.org>; Sat, 9 Feb 2019 08:36:28 -0800 (PST)
Received: by mail-yw1-xc34.google.com with SMTP id k14so2599536ywe.4 for <spasm@ietf.org>; Sat, 09 Feb 2019 08:36:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=6FcYESDilcmCobCz4G1To3xGGysOf5ujvNdVodz01Ew=; b=AdVURBQ2TuR5PajpCFxw6A4y40szgn3bO/3x9nIpqtCHGf2YgZobTAMqGYzsqpl3CP ZxMl9smMLCgliDM8r3yQ2vwND8MWdmoHgoD1y1gQGp1jkqaIloCUviv+nQo3N/slHrMe h/L57VkTpndRu8rViwH3jbmjHXr1T76gG0aRlpaX2+xI9eYF1huEFTd8IpADuZEx+77g JlhShE/CIHclyThg3IE83Dgeje1nRzmtZuAH1cUJ8nB4PeDapTYR0+uGKLxDwtFMZqmE CMpWeubOy5+gZ9vWSf+8pjGM53WvnWKVF5a7PjHh2GBB0jB4X6ViSc02aBXxWQjfj0uV SFiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=6FcYESDilcmCobCz4G1To3xGGysOf5ujvNdVodz01Ew=; b=s6Lt7ZSxZO8LE8V7XeYMkbuhAAiD6xuWGoyk/TuT86hT/fQgA/I58ats9p7GRsXLCm x2rMEVVGsu+DgzDEDuc78MWSWhj/DvBuowsP7MoEletb2VTTMIOiZ9Pjjzb9rwH8xnQY 60uYMBgTm3jx4Sucjv3dakdDXDvBP0G06oMIy4taz2Qxu8tAaZQuhFS6CSDCKH8q3IOz FuOGhFviYh269lNR3p8dDwjFH0upGp1IDBn5TetTZHh7UJ4f6FG4BRHS10kwygwcAyqL r0ywD+opIKOwPLhKZQy10aeQl8Gd1OQ7e0qoSXaAvgrPWQVZ4aVFAMMMX48SZ/zQnle+ D/nw==
X-Gm-Message-State: AHQUAuaZIPxyP41HTBMbTzOmOnzBL5vl2mi/uHEtTqvz+EzFedVOH7XO 1fqfC6LNIf9y0l7nD0hfHB4kKr39lwHMxtC6apeSitMDkWE2og==
X-Google-Smtp-Source: AHgI3IYiPBs5l45fXJF8uTjyL9h7KoQmlQPiOtLs2m9C7uwyxa8bE6NymhT4xzCsevrM795F/UwiBhAU/guG6Oq1f70=
X-Received: by 2002:a81:52d3:: with SMTP id g202mr10571643ywb.244.1549730186024; Sat, 09 Feb 2019 08:36:26 -0800 (PST)
MIME-Version: 1.0
References: <CAD2i3WMP=-id4aCexu71fXRiVkdN3L6v5p7E1yJVRAwk0vmkfA@mail.gmail.com>
In-Reply-To: <CAD2i3WMP=-id4aCexu71fXRiVkdN3L6v5p7E1yJVRAwk0vmkfA@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
Date: Sat, 09 Feb 2019 08:36:13 -0800
Message-ID: <CAAFsWK2kUpHjGSo53=gOLrzFbnA6rqsGwyB6TyeK4xBKN=VmQw@mail.gmail.com>
To: SPASM <spasm@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000004bf3af058178ad48"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/tpbU01x9GLt7uQZ79TezC0UuHak>
Subject: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2019 16:36:32 -0000

Hi all,

I'm cross posting to the LAMPS mailing list for visibility, that there is a
new mailing list for Brand Indicators for Message Identification (BIMI)
which allows for logos to be displayed by an email recipient. This is of
interest to LAMPS since a secured part of the specification uses X.509/PKIX
certificates to carry these logos and assert a 3rd party validation.  A
while back, I posted here a draft requesting a new certificate Extended Key
Usage value to distinguish these logo carrying certificate which linked
below.  Also described below is the validation procedure for the
certificate based on web Extended Validation (EV) but built upon to handle
the logo validation.  I also have a security justification document that I
hope to turn into an IETF informational draft that will help justify the
security of the logo and other information carried in the certificate.  We
look forward to your comments and questions on the BIMI list.
https://www.ietf.org/mailman/listinfo/bimi

-Wei

---------- Forwarded message ---------
From: Seth Blank <seth@sethblank.com>
Date: Wed, Feb 6, 2019 at 12:11 PM
Subject: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt
To: <bimi@ietf.org>


I've uploaded two documents as I-Ds to kick off IETF discussions around
BIMI. Both these documents need a good deal of work, but are ready for
public discussion.

For BIMI publishing and usage:
- https://tools.ietf.org/html/draft-blank-ietf-bimi-00
- https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00

For logo validation:
- https://tools.ietf.org/html/draft-chuang-bimi-certificate-00
-
https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w/edit?usp=sharing

At a high level, these documents have several issues to be worked through:

1) The intent is for this to be globally accessible to any domain owner,
but the current mechanisms are more approachable to larger organizations in
first world countries
   a) We need a discussion of what other validation mechanisms could work
at scale (our expectation is to have several, signposted weakly in the
draft)
   b) We need a way to properly reflect this in the proposed a= tag

2) BIMI is NOT a new authentication mechanism, nor does it make ANY claims
about user security or trust in the inbox. However, in places this draft
may be unclear. How do we make this clearer while still explaining why
standardizing this process is important, without crossing the line into UX
or trust, of which BIMI is neither?

3) Right now, security surrounding logos is limited to SVGs per
https://tools.ietf.org/html/rfc6170#section-5.2. There's clearly more
that's needed here, especially against attacks that rely on steganography
or resizing vectors, etc.

4) Other nits for draft-blank-ietf-bimi:

   a) The structure needs work, as do the Introduction and Overview
   b) Some of the technical construction feels like it could be
dramatically simplified
   c) Section 8.2 mentions hashes with no definition or clarity
   d) The uses of MTA, MUA, and Mail Receiver feel like they overlap each
other left and right
       i) And the document is heavily focused on larger receivers where
this distinction is clear, but doesn't give any thought to other receiving
architectures at all, especially mail clients that are the entire stack

Several authors of these documents will be in Prague, we're looking forward
to the conversations over the next few weeks and face to face!

Seth

---------- Forwarded message ---------
From: <internet-drafts@ietf.org>
Date: Wed, Feb 6, 2019 at 11:11 AM
Subject: New Version Notification for draft-blank-ietf-bimi-00.txt


A new version of I-D, draft-blank-ietf-bimi-00.txt
has been successfully submitted by Seth Blank and posted to the
IETF repository.

Name:           draft-blank-ietf-bimi
Revision:       00
Title:          Brand Indicators for Message Identification (BIMI)
Document date:  2019-02-06
Group:          Individual Submission
Pages:          26
URL:
https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt
Status:         https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/
Htmlized:       https://tools.ietf.org/html/draft-blank-ietf-bimi-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi


Abstract:
   Brand Indicators for Message Identification (BIMI) permits Domain
   Owners to coordinate with Mail User Agents (MUAs) to display brand-
   specific Indicators next to properly authenticated messages.  There
   are two aspects of BIMI coordination: a scalable mechanism for Domain
   Owners to publish their desired indicators, and a mechanism for Mail
   Transfer Agents (MTAs) to verify the authenticity of the indicator.
   This document specifies how Domain Owners communicate their desired
   indicators through the BIMI assertion record in DNS and how that
   record is to be handled by MTAs and MUAs.  The domain verification
   mechanism and extensions for other mail protocols (IMAP, etc.) are
   specified in separate documents.  MUAs and mail-receiving
   organizations are free to define their own policies for indicator
   display that makes use or not of BIMI data as they see fit.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

-- 
bimi mailing list
bimi@ietf.org
https://www.ietf.org/mailman/listinfo/bimi

v2.23.0 | Report a Bug | By Email