>>I do think it would be better to use a common key that could be used to >>verify multiple signed user images, this way only one DNS record would need >>to be published and the user's eMail address could be used as part of the >>verification, sort of like how OpenVPN does this (I'm sketchy on these >>details, but I'm pretty sure this can be done).
I think it cannot be done, as the certificate itself is published in the record, and tied to the image. A better solution would otherwise to make a BIMI extension to SMIME in that case, that will override the server BIMI in SMIME signed emails. Where the BIMI logo becomes part of the SMIME certificate by an non-critical extension. (SHA512 hash + URL of BIMI logo) Outside of SMIME, Having one key to sign multiple "images" could work by a header in the email containing the BIMI image url and signature, which is then linked to the BIMI certificate in the record. And the signature is aquired by going to the CA and getting a signature - could work via an automated solution where each domain is given a BIMI public key purchased by the domain owner - this only requires domain validation like DNS-01. Then the individual users, buys their own BIMI signature by submitting their passport scan, and the domain they wish to use. If the CA recongnizes the public certificate, they can sign for it. If it doesn't, it can't since the CA doesn't possess the private key. Meaning the domain owner gets to decide which CA the users must use, and then the users aquire the signatures and submit them to domain owner, which then configures their email accounts. >>Drawing a line would be arbitrary. There are some families with large >>numbers of children (more than a dozen) Agreed, but there, it works with 1 record per individual. I think it works nice up to like about 15-20 users, then it becomes a burden. And yes, each user would need their own BIMI certificate in that case, and then a selector is used to choose the right image at sending. So there is only 2 designations: Corporation --> one BIMI logo Individual --> one BIMI face For non-profits, corporation, government, military, edu, then todays "Corporation" BIMI will work well with the organization's logo. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
