Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Randolf Richardson, Postmaster via mailop]

> On 10.01.2024 at 21:59 Randolf Richardson, Postmaster via mailop
> wrote:
> 
> > What's missing from BIMI in its current form?  The option
> > for mail server oparators to use the same TLS certificates that
> > we're already using for our mail servers (and web servers,
> > and FTP servers, etc.).
> 
> A server certificate only verifies domain ownership. It does
> not include any logos, so it's not suitable to authenticate a
> BIMI selector. Therefor a server certificate cannot be used
> as evidence whether a domain is entitled to use a certain logo
> or not.

Correct.

The requirement that a logo's source be encrypted by a TLS (SSL) 
certificate that is valid for the domain of the sender is doable, 
though.  Disallowing redirection to a different domain name (that's 
not covered by SNI) is also doable.

I've also seen some discussion on using a TLS or SSL certificate to 
calculate a signature or fingerprint on an arbitrarily selected file, 
which cover examples of using OpenSSL commands to do it, but I 
haven't looked into this.

> Besides AFAIK the list price for a Verified Mark Certificate
> is 1500$. Depending on other contracts which a company
> might already have with the CA they'd probably receive a 10% to
> 90% discount. Even without any discount, 1500$ per year is
> not really something which I would consider a barrier for
> anyone but very small shops. Even a 3 person business will
> probably pay more for coffee than for the  certificate per year.

The price for registering a trademark in Canada is CAD$347.35 
(USD$259.72 according to Google on 2024-Jan-13), and, as I recall, 
this covers 15 years (and then it needs to be renewed again for the 
next 15 years, probably for the same price or whatever the 
registration price is at that time).

The cost for BIMI's "Verified Mark" certificate for 15 years (to 
match the registered trademark cost) would be USD$22,500.00, which is 
approximately 87 times more expensive.

People are right to be concerned about the costs of certifying their 
BIMI logos because it's so far out of touch with what it acdtually 
costs to get a registered trademark.

If the cost of the certificates was more in line with the cost of 
registering a trademark, then people probably wouldn't be so inclined 
to wonder if this might be yet another money making scheme.

-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Gellner, Oliver via mailop]

On 10.01.2024 at 21:59 Randolf Richardson, Postmaster via mailop wrote:

> What's missing from BIMI in its current form?  The option for mail server 
> oparators to use the same TLS certificates that we're already using for our 
> mail servers (and web servers, and FTP servers, etc.).

A server certificate only verifies domain ownership. It does not include any 
logos, so it's not suitable to authenticate a BIMI selector. Therefor a server 
certificate cannot be used as evidence whether a domain is entitled to use a 
certain logo or not.

Besides AFAIK the list price for a Verified Mark Certificate is 1500$. 
Depending on other contracts which a company might already have with the CA 
they'd probably receive a 10% to 90% discount. Even without any discount, 1500$ 
per year is not really something which I would consider a barrier for anyone 
but very small shops. Even a 3 person business will probably pay more for 
coffee than for the  certificate per year.

--
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Louis Laureys via mailop]

Hey all,

> I might have missed something, but wouldn't that be a phisher's wet dream?

It depends on the implementation really. A lot of parallels can be drawn to
things email clients and other platforms have been doing for years. Email
clients have already been using Gravatar, and on almost every social media
platform or forum you can set your own name and avatar. It's not much different.

> I don't think that the regular user will check if the little extra lock is
> there on the icon. They'll see a version of the paypal logo on the phish and
> have an extra feeling of safety.

Maybe, maybe not. I feel about 70% of all commercial emails in my client have
logos. It's essentially same as the sender name being "PayPal". There's really
no implicit extra trust about there being a logo in this context.

> how the user is supposed to distinguish which avatars are verified BIMI logos,
> and which ones come from a totally different source?

An indicator. It's probably not as effective as only ever showing BIMI verified,
but it's been standard on other platforms for a while now. It's not the solution
to all problems, but it does seem like a design pattern that users will
recognize. I have not done any user research into this though, this is just my
thought process at the moment.

> Otherwise, the non-BIMI avatars displayed along the messages, mixed with BIMI
> ones, will just facilitate phishing instead of making it more difficult

I'm honestly not sure whether that was a great promise to begin with. It's an
attractive one, for sure. BIMI being mixed with other avatars was always a thing
that would probably happen. Gravatar is already widely used, and Gmail shows
avatars for other google users (as far as I know).



I've implemented it this way into my client because I liked being able to more
visually differentiate emails, and reduce the mental load of having to scan
text. It initially had absolutely nothing to do with BIMI, in fact I added BIMI
after I added the other sources. But in my case BIMI can still add security
through the verification indicator, which I will be adding. I've hidden avatars
for messages in the junk folder as well, as a precaution.

Anecdotally, none of the mass phishing emails I've received have had the correct
logo associated. It's usually compromised credentials without access to the
domain, and they don't seem to go through the effort of setting up Gravatar. Of
course this really means nothing for targeted attacks by actually competent
phishers, but I thought it was fun to see. It's something I wondered about when
I started adding the avatars.



Groetjes,
Louis


Op donderdag 11 januari 2024 om 20:43, schreef Tim Starr via mailop
:

> They can already rip people off, w/out BIMI. BIMI limits their ability to do
> so in two ways:
> 
> 
> 1) It raises the cost, because BIMI setup costs more.
> 2) It makes it harder for scammers to impersonate trusted brands.
> 
> 
> -Tim
> 
> On Thu, Jan 11, 2024 at 12:58 PM Randolf Richardson, Postmaster via mailop
>  wrote:
> 
> 
> > > I might have missed something, but wouldn't that be a phisher's wet dream?
> > 
> >         Indeed, and because the BIMI record references a URI to load the
> > logo from, so the scammers (spammers, phishers, malware/virus
> > distributors, etc.) could simply specify a different logo file with a
> > recognized brand to make their bad eMail appear legitimate.
> > 
> > > Most spammers know very well how to do a mail with valid DMARC. So, now
> > > they only need to send a valid mail from any throw away cheap domain and
> > > in their BIMI add the logo of paypal?
> > 
> >         Yes.
> > 
> > > I understand it's not great to have to pay for the
> > > verification/certification, but leaving the door open to abuse is a
> > > dangerous path to take.
> > 
> >         Some scammers make a lot of money ripping people off.  They could
> > easily afford set up a company, get a Trademark, and then use a
> > different logo image when sending their junk eMails.
> > 
> >         So, once this happens often enough, end-users will just not trust
> > the BIMI logos to be reliable and it will be another internet feature
> > that security educators will recommend be taken with a grain of salt.
> > 
> > > Being on the antispam side, I would hate to have to start implementing
> > > BIMI spoof checks.
> > 
> >         I agree.  Even if someone else makes a SpamAssassin plug-in or a
> > milter, it still adds to the overall complexity and will have a
> > potentially-noticeable impact on busier systems ... and then everyone
> > has to pay indirectly for BIMI with slower performance of system
> > upgrades to counter the slower performance.
> > 
> > > Regards,
> > > Laurent
> > >
> > > On 11.01.24 00:05, Louis Laureys via mailop wrote:
> > > >      We decided to keep this because I read that some webmail clients
> > are
> > > >      planning to support BIMI without checking for certificates, or,
> > > >      perhaps, also displaying a little lock 

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Tim Starr via mailop]

They can already rip people off, w/out BIMI. BIMI limits their ability to
do so in two ways:

1) It raises the cost, because BIMI setup costs more.
2) It makes it harder for scammers to impersonate trusted brands.

-Tim

On Thu, Jan 11, 2024 at 12:58 PM Randolf Richardson, Postmaster via mailop <
mailop@mailop.org> wrote:

> > I might have missed something, but wouldn't that be a phisher's wet
> dream?
>
> Indeed, and because the BIMI record references a URI to load the
> logo from, so the scammers (spammers, phishers, malware/virus
> distributors, etc.) could simply specify a different logo file with a
> recognized brand to make their bad eMail appear legitimate.
>
> > Most spammers know very well how to do a mail with valid DMARC. So, now
> > they only need to send a valid mail from any throw away cheap domain and
> > in their BIMI add the logo of paypal?
>
> Yes.
>
> > I understand it's not great to have to pay for the
> > verification/certification, but leaving the door open to abuse is a
> > dangerous path to take.
>
> Some scammers make a lot of money ripping people off.  They could
> easily afford set up a company, get a Trademark, and then use a
> different logo image when sending their junk eMails.
>
> So, once this happens often enough, end-users will just not trust
> the BIMI logos to be reliable and it will be another internet feature
> that security educators will recommend be taken with a grain of salt.
>
> > Being on the antispam side, I would hate to have to start implementing
> > BIMI spoof checks.
>
> I agree.  Even if someone else makes a SpamAssassin plug-in or a
> milter, it still adds to the overall complexity and will have a
> potentially-noticeable impact on busier systems ... and then everyone
> has to pay indirectly for BIMI with slower performance of system
> upgrades to counter the slower performance.
>
> > Regards,
> > Laurent
> >
> > On 11.01.24 00:05, Louis Laureys via mailop wrote:
> > >  We decided to keep this because I read that some webmail clients
> are
> > >  planning to support BIMI without checking for certificates, or,
> > >  perhaps, also displaying a little lock icon in the corner of the
> > >  sender's BIMI-style logo image where certification is verified.
> > >
> > > This is exactly what I have in mind for my client, thanks for
> publishing your
> > > logo in an easily accessible and standard way :)
> > >
> > > Groetjes,
> > > Louis
> > >
> > >
> >
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
>
>
> --
> Postmaster - postmas...@inter-corporate.com
> Randolf Richardson, CNA - rand...@inter-corporate.com
> Inter-Corporate Computer & Network Services, Inc.
> Vancouver, British Columbia, Canada
> https://www.inter-corporate.com/
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Benny Pedersen via mailop]

Randolf Richardson, Postmaster via mailop skrev den 2024-01-11 19:52:
I might have missed something, but wouldn't that be a phisher's wet 
dream?


Indeed, and because the BIMI record references a URI to load the
logo from, so the scammers (spammers, phishers, malware/virus
distributors, etc.) could simply specify a different logo file with a
recognized brand to make their bad eMail appear legitimate.


lets hope this is resolved to be same domain as sasl sender, where dkim 
is pass, bimi have no rule if its just random other domains is valid


hopefully no mistakes there

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Randolf Richardson, Postmaster via mailop]

> I might have missed something, but wouldn't that be a phisher's wet dream?

Indeed, and because the BIMI record references a URI to load the 
logo from, so the scammers (spammers, phishers, malware/virus 
distributors, etc.) could simply specify a different logo file with a 
recognized brand to make their bad eMail appear legitimate.

> Most spammers know very well how to do a mail with valid DMARC. So, now 
> they only need to send a valid mail from any throw away cheap domain and 
> in their BIMI add the logo of paypal?

Yes.

> I understand it's not great to have to pay for the 
> verification/certification, but leaving the door open to abuse is a 
> dangerous path to take.

Some scammers make a lot of money ripping people off.  They could 
easily afford set up a company, get a Trademark, and then use a 
different logo image when sending their junk eMails.

So, once this happens often enough, end-users will just not trust 
the BIMI logos to be reliable and it will be another internet feature 
that security educators will recommend be taken with a grain of salt.

> Being on the antispam side, I would hate to have to start implementing 
> BIMI spoof checks.

I agree.  Even if someone else makes a SpamAssassin plug-in or a 
milter, it still adds to the overall complexity and will have a 
potentially-noticeable impact on busier systems ... and then everyone 
has to pay indirectly for BIMI with slower performance of system 
upgrades to counter the slower performance.

> Regards,
> Laurent
> 
> On 11.01.24 00:05, Louis Laureys via mailop wrote:
> >  We decided to keep this because I read that some webmail clients are
> >  planning to support BIMI without checking for certificates, or,
> >  perhaps, also displaying a little lock icon in the corner of the
> >  sender's BIMI-style logo image where certification is verified.
> > 
> > This is exactly what I have in mind for my client, thanks for publishing 
> > your
> > logo in an easily accessible and standard way :)
> > 
> > Groetjes,
> > Louis
> > 
> > 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Jaroslaw Rafa via mailop]

Dnia 11.01.2024 o godz. 14:34:16 Laurent S. via mailop pisze:
> The trademark verification is only for those that pay for it. Nothing 
> forbids a MUA from displaying an unverified BIMI. Most are luckily not 
> doing it (yet), I just want to warn that if this becomes common, it will 
> be abused for sure. I don't think that the regular user will check if 
> the little extra lock is there on the icon. They'll see a version of the 
> paypal logo on the phish and have an extra feeling of safety.

Dnia 11.01.2024 o godz. 17:52:34 G. Miliotis via mailop pisze:
> What I believe will happen is most non-big mail client apps will
> support BIMI if they support avatars, otherwise, they won't, cause
> the arguments on the receiver side are the same for both features.
> 
> I don't buy the "promoting authentication" argument.

And it's clearly visible from the Laurent's mail that if MUAs will display
the unverified BIMI logos (and what would prohibit them from that?) the
"authentication" factor can be even weaker than with no avatars at all -
because user who is convinced that the logo being displayed means that the
message is genuine, may not even look at the actual sender field.

Also, if a hypothetical MUA displays BIMI logos, but also displays avatars
obtained by other means (one of the users in the thread mentioned a MUA he
develops that uses eg. favicons, or Gravatar service for that purpose), how
the user is supposed to distinguish which avatars are verified BIMI logos,
and which ones come from a totally different source?

Trying to look at the "broad picture", I realized that the whole concept of
BIMI may actually work as designed *only* if MUA developers could be somehow
*legally prohibited* from displaying any other avatars than verified BIMI
logos. Which not only seems totalitarian in nature, but also politically
completely impossible to actually implement.

Otherwise, the non-BIMI avatars displayed along the messages, mixed with
BIMI ones, will just facilitate phishing instead of making it more
difficult. All the manual work on verifying logos and money invested into
it will be basically a wasted effort.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[L. Mark Stone via mailop]

FWIW we went through the trademark process for our logo.

It was time-consuming, but straightforward and not expensive.

We've deployed BIMI, but with a= as the SSL certificates are still quite 
expensive; Digicert's BIMI certificate is half-again as much as their EV 
certificate.

If Digicert et. al. offered a combined EV/BIMI certificate (since much of the 
labor-intensive validation tasks as I understand it are identical for both 
certs), I think that could be an attractive option for many senders.

IMHO the industry has several complementary/overlapping initiatives at various 
stages of maturity and adoption, all intended to better authenticate senders 
and prevent domain spoofing. I fully expect there to be friction, resistance 
and bumps in the road as we all work to minimize illegitimate email -- but 
despite Google, Yahoo, Microsoft etc. being a major source of the inbound spam 
that we see tour and our customers' systems, I applaud their efforts to better 
authenticate senders and prevent domain spoofing. 

I just wish they would apply the same strict rulesets to their outbound email 
streams that they are starting to apply/applying to their inbound email 
streams...

Best regards to all, 
Mark 
_ 
L. Mark Stone, Founder 
North America's Leading Zimbra VAR/BSP/Training Partner 
For Companies With Mission-Critical Email Needs

- Original Message -
From: "Laurent S. via mailop" 
To: "mailop" 
Sent: Thursday, January 11, 2024 9:34:16 AM
Subject: Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, 
and intellectual property law considerations

On 11.01.24 14:59, Udeme via mailop wrote:
> There’s a trademark ownership vetting item that’s part of BIMI implementation.
> Not just *anyone* can get past that. #wink
> 

The trademark verification is only for those that pay for it. Nothing 
forbids a MUA from displaying an unverified BIMI. Most are luckily not 
doing it (yet), I just want to warn that if this becomes common, it will 
be abused for sure. I don't think that the regular user will check if 
the little extra lock is there on the icon. They'll see a version of the 
paypal logo on the phish and have an extra feeling of safety.

Best,
Laurent

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Laurent S. via mailop]

On 11.01.24 14:59, Udeme via mailop wrote:
> There’s a trademark ownership vetting item that’s part of BIMI implementation.
> Not just *anyone* can get past that. #wink
> 

The trademark verification is only for those that pay for it. Nothing 
forbids a MUA from displaying an unverified BIMI. Most are luckily not 
doing it (yet), I just want to warn that if this becomes common, it will 
be abused for sure. I don't think that the regular user will check if 
the little extra lock is there on the icon. They'll see a version of the 
paypal logo on the phish and have an extra feeling of safety.

Best,
Laurent

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Udeme via mailop]

There’s a trademark ownership vetting item that’s part of BIMI
implementation. Not just *anyone* can get past that. #wink

-Udeme

On Thu, Jan 11, 2024 at 5:36 AM Laurent S. via mailop 
wrote:

> I might have missed something, but wouldn't that be a phisher's wet dream?
>
> Most spammers know very well how to do a mail with valid DMARC. So, now
> they only need to send a valid mail from any throw away cheap domain and
> in their BIMI add the logo of paypal?
>
> I understand it's not great to have to pay for the
> verification/certification, but leaving the door open to abuse is a
> dangerous path to take.
>
> Being on the antispam side, I would hate to have to start implementing
> BIMI spoof checks.
>
> Regards,
> Laurent
>
> On 11.01.24 00:05, Louis Laureys via mailop wrote:
> >  We decided to keep this because I read that some webmail clients are
> >  planning to support BIMI without checking for certificates, or,
> >  perhaps, also displaying a little lock icon in the corner of the
> >  sender's BIMI-style logo image where certification is verified.
> >
> > This is exactly what I have in mind for my client, thanks for publishing
> your
> > logo in an easily accessible and standard way :)
> >
> > Groetjes,
> > Louis
> >
> >
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Laurent S. via mailop]

I might have missed something, but wouldn't that be a phisher's wet dream?

Most spammers know very well how to do a mail with valid DMARC. So, now 
they only need to send a valid mail from any throw away cheap domain and 
in their BIMI add the logo of paypal?

I understand it's not great to have to pay for the 
verification/certification, but leaving the door open to abuse is a 
dangerous path to take.

Being on the antispam side, I would hate to have to start implementing 
BIMI spoof checks.

Regards,
Laurent

On 11.01.24 00:05, Louis Laureys via mailop wrote:
>  We decided to keep this because I read that some webmail clients are
>  planning to support BIMI without checking for certificates, or,
>  perhaps, also displaying a little lock icon in the corner of the
>  sender's BIMI-style logo image where certification is verified.
> 
> This is exactly what I have in mind for my client, thanks for publishing your
> logo in an easily accessible and standard way :)
> 
> Groetjes,
> Louis
> 
> 

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Randolf Richardson, Postmaster via mailop]

> > We decided to keep this because I read that some webmail clients are
> > planning to support BIMI without checking for certificates, or,
> > perhaps, also displaying a little lock icon in the corner of the
> > sender's BIMI-style logo image where certification is verified.
> 
> This is exactly what I have in mind for my client, thanks for publishing your
> logo in an easily accessible and standard way :)

Excellent!

If you need me to send some test messages, please don't hesitate to 
reach out -- I'll be happy to send a few, or a few dozen, as you 
need, and from a few different domains so you can see what different 
logos look like in an Inbox folder.

> Groetjes,
> Louis
> 
> 
> Op woensdag 10 januari 2024 om 21:58, schreef Randolf Richardson, Postmaster 
> via
> mailop :
> 
> > We looked into it and publish our own default BIMI record even
> > though we didn't pay the enormous amount money required to one of two
> > Certificate Authorities.
> > 
> > If anyone is curious to see what the record looks, use this command:
> > 
> > dig txt default._bimi.inter-corporate.com
> > 
> > The results should include:
> > 
> > ;; ANSWER SECTION:
> > default._bimi.inter-corporate.com. 3600 IN TXT
> > "v=BIMI1; l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg
> > [https://www.inter-corporate.com/images/logo60bimi-iccns.svg]; a=;"
> > 
> > It basically just links to an SVG version of the logo from our main
> > web site (which is also in the same DNS zone).
> > 
> > Note: The "a=" portion normally includes a URI to what's called the
> > "VMC/Assertion record" in the form of a typical .pem file. Ours is
> > blank because we don't have the needed file for this.
> > 
> > We decided to keep this because I read that some webmail clients are
> > planning to support BIMI without checking for certificates, or,
> > perhaps, also displaying a little lock icon in the corner of the
> > sender's BIMI-style logo image where certification is verified.
> > 
> > The BIMI Group provides an online checking tool that displays our
> > logo (just search for "inter-corporate.com" to see ours):
> > 
> > BIMI LookUp & Generator :: Check compliance w/ BIMI standards
> > https://www.bimigroup.org/bimi-generator/
> > [https://www.bimigroup.org/bimi-generator/]
> > 
> > Our logo is shown near the end of the report, and for ours there's
> > an indication that we comply, but there's also this warning:
> > 
> > "Note: While your BIMI record is compliant, it doesn't include a
> > Verified Mark Certificate that may be required by some mailbox
> > providers."
> > 
> > What's missing from BIMI in its current form? The option for mail
> > server oparators to use the same TLS certificates that we're already
> > using for our mail servers (and web servers, and FTP servers, etc.).
> > 
> > It makes less sense to me to involve a different CA just for one
> > tiny little image because then that's more technology that has to be
> > administered, managed, troubleshooted, implemented, etc., and paid
> > for separately. For eMail systems that host mlutiple domains and
> > clients, BIMI is not an attractive option in its current state.
> > 
> > If BIMI is to be taken as an open standard, then it needs to embrace
> > openness so that the TLS certificates issued by all CAs (including
> > commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI
> > gaining wider adoption.
> > 
> > The "must be a Registered Trademark" requirement is too expensive
> > for a lot of small businesses. A copyrighted logo is already
> > sufficient to provide legal protections in many scenarios (depending
> > on jurisdiction, etc.), so the bar is too high as it is -- DMCA
> > violation notices should be taken seriously regardless of whether the
> > intellectual property (such as an organization's logo) is protected
> > under copyright, servicemark, or trademark property mechanisms.
> > 
> > Another problem with limiting the scope of intellectual property
> > protection to a Registered Trademark is that trademark applications
> > can also be rejected even though a logo is already copyrighted, and
> > the reasons can vary based on a variety of factors, including
> > different jurisdictional regulations, local and/or national laws that
> > limit free expression, cultural sensitivity policies, delays due to
> > fraudulent disputes submitted by intellectual property trolls, etc.
> > 
> > Also: How does BIMI intend to resolve valid Registered Trademarks
> > from two different countires that look almost the same? Is there a
> > mechanism that will only allow BIMI logos to be displayed in cerrtain
> > countries where said Registered Trademark is protected? Will there
> > be enforcement to make sure all vendors adhere to implementing BIMI
> > correctly in this manner? Or, if a Registered Trademark is only
> > registered in one country, will vendors still be able to display it
> > in other countries? Or will the source be the determining factor (in
> > which 

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Opti Pub via mailop]

+1

On Wed, Jan 10, 2024 at 6:14 PM Louis Laureys via mailop 
wrote:

> We decided to keep this because I read that some webmail clients are
> planning to support BIMI without checking for certificates, or,
> perhaps, also displaying a little lock icon in the corner of the
> sender's BIMI-style logo image where certification is verified.
>
> This is exactly what I have in mind for my client, thanks for publishing
> your logo in an easily accessible and standard way :)
>
> Groetjes,
> Louis
>
>
> Op woensdag 10 januari 2024 om 21:58, schreef Randolf Richardson,
> Postmaster via mailop :
>
> We looked into it and publish our own default BIMI record even
> though we didn't pay the enormous amount money required to one of two
> Certificate Authorities.
>
> If anyone is curious to see what the record looks, use this command:
>
> dig txt default._bimi.inter-corporate.com
>
> The results should include:
>
> ;; ANSWER SECTION:
> default._bimi.inter-corporate.com. 3600 IN TXT
> "v=BIMI1; l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg;
> a=;"
>
> It basically just links to an SVG version of the logo from our main
> web site (which is also in the same DNS zone).
>
> Note: The "a=" portion normally includes a URI to what's called the
> "VMC/Assertion record" in the form of a typical .pem file. Ours is
> blank because we don't have the needed file for this.
>
> We decided to keep this because I read that some webmail clients are
> planning to support BIMI without checking for certificates, or,
> perhaps, also displaying a little lock icon in the corner of the
> sender's BIMI-style logo image where certification is verified.
>
> The BIMI Group provides an online checking tool that displays our
> logo (just search for "inter-corporate.com" to see ours):
>
> BIMI LookUp & Generator :: Check compliance w/ BIMI standards
> https://www.bimigroup.org/bimi-generator/
>
> Our logo is shown near the end of the report, and for ours there's
> an indication that we comply, but there's also this warning:
>
> "Note: While your BIMI record is compliant, it doesn't include a
> Verified Mark Certificate that may be required by some mailbox
> providers."
>
> What's missing from BIMI in its current form? The option for mail
> server oparators to use the same TLS certificates that we're already
> using for our mail servers (and web servers, and FTP servers, etc.).
>
> It makes less sense to me to involve a different CA just for one
> tiny little image because then that's more technology that has to be
> administered, managed, troubleshooted, implemented, etc., and paid
> for separately. For eMail systems that host mlutiple domains and
> clients, BIMI is not an attractive option in its current state.
>
> If BIMI is to be taken as an open standard, then it needs to embrace
> openness so that the TLS certificates issued by all CAs (including
> commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI
> gaining wider adoption.
>
> The "must be a Registered Trademark" requirement is too expensive
> for a lot of small businesses. A copyrighted logo is already
> sufficient to provide legal protections in many scenarios (depending
> on jurisdiction, etc.), so the bar is too high as it is -- DMCA
> violation notices should be taken seriously regardless of whether the
> intellectual property (such as an organization's logo) is protected
> under copyright, servicemark, or trademark property mechanisms.
>
> Another problem with limiting the scope of intellectual property
> protection to a Registered Trademark is that trademark applications
> can also be rejected even though a logo is already copyrighted, and
> the reasons can vary based on a variety of factors, including
> different jurisdictional regulations, local and/or national laws that
> limit free expression, cultural sensitivity policies, delays due to
> fraudulent disputes submitted by intellectual property trolls, etc.
>
> Also: How does BIMI intend to resolve valid Registered Trademarks
> from two different countires that look almost the same? Is there a
> mechanism that will only allow BIMI logos to be displayed in cerrtain
> countries where said Registered Trademark is protected? Will there
> be enforcement to make sure all vendors adhere to implementing BIMI
> correctly in this manner? Or, if a Registered Trademark is only
> registered in one country, will vendors still be able to display it
> in other countries? Or will the source be the determining factor (in
> which case, what reliable solution does BIMI propose for a company
> using service provider in some other country to deliver their eMail)?
>
> Keeping things simpler, open, and lowering the bar to be more
> inclusive are, in my opinion, some of the more important factors in
> BIMI's future success. Otherwise, it just looks like an attempt to
> make money (which is how at least some people who've looked into it
> seem to perceive it at present).
>
> (If BIMI doesn't lower the bar, then perhaps someone 

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Louis Laureys via mailop]

> We decided to keep this because I read that some webmail clients are
> planning to support BIMI without checking for certificates, or,
> perhaps, also displaying a little lock icon in the corner of the
> sender's BIMI-style logo image where certification is verified.

This is exactly what I have in mind for my client, thanks for publishing your
logo in an easily accessible and standard way :)

Groetjes,
Louis


Op woensdag 10 januari 2024 om 21:58, schreef Randolf Richardson, Postmaster via
mailop :

> We looked into it and publish our own default BIMI record even
> though we didn't pay the enormous amount money required to one of two
> Certificate Authorities.
> 
> If anyone is curious to see what the record looks, use this command:
> 
> dig txt default._bimi.inter-corporate.com
> 
> The results should include:
> 
> ;; ANSWER SECTION:
> default._bimi.inter-corporate.com. 3600 IN TXT
> "v=BIMI1; l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg
> [https://www.inter-corporate.com/images/logo60bimi-iccns.svg]; a=;"
> 
> It basically just links to an SVG version of the logo from our main
> web site (which is also in the same DNS zone).
> 
> Note: The "a=" portion normally includes a URI to what's called the
> "VMC/Assertion record" in the form of a typical .pem file. Ours is
> blank because we don't have the needed file for this.
> 
> We decided to keep this because I read that some webmail clients are
> planning to support BIMI without checking for certificates, or,
> perhaps, also displaying a little lock icon in the corner of the
> sender's BIMI-style logo image where certification is verified.
> 
> The BIMI Group provides an online checking tool that displays our
> logo (just search for "inter-corporate.com" to see ours):
> 
> BIMI LookUp & Generator :: Check compliance w/ BIMI standards
> https://www.bimigroup.org/bimi-generator/
> [https://www.bimigroup.org/bimi-generator/]
> 
> Our logo is shown near the end of the report, and for ours there's
> an indication that we comply, but there's also this warning:
> 
> "Note: While your BIMI record is compliant, it doesn't include a
> Verified Mark Certificate that may be required by some mailbox
> providers."
> 
> What's missing from BIMI in its current form? The option for mail
> server oparators to use the same TLS certificates that we're already
> using for our mail servers (and web servers, and FTP servers, etc.).
> 
> It makes less sense to me to involve a different CA just for one
> tiny little image because then that's more technology that has to be
> administered, managed, troubleshooted, implemented, etc., and paid
> for separately. For eMail systems that host mlutiple domains and
> clients, BIMI is not an attractive option in its current state.
> 
> If BIMI is to be taken as an open standard, then it needs to embrace
> openness so that the TLS certificates issued by all CAs (including
> commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI
> gaining wider adoption.
> 
> The "must be a Registered Trademark" requirement is too expensive
> for a lot of small businesses. A copyrighted logo is already
> sufficient to provide legal protections in many scenarios (depending
> on jurisdiction, etc.), so the bar is too high as it is -- DMCA
> violation notices should be taken seriously regardless of whether the
> intellectual property (such as an organization's logo) is protected
> under copyright, servicemark, or trademark property mechanisms.
> 
> Another problem with limiting the scope of intellectual property
> protection to a Registered Trademark is that trademark applications
> can also be rejected even though a logo is already copyrighted, and
> the reasons can vary based on a variety of factors, including
> different jurisdictional regulations, local and/or national laws that
> limit free expression, cultural sensitivity policies, delays due to
> fraudulent disputes submitted by intellectual property trolls, etc.
> 
> Also: How does BIMI intend to resolve valid Registered Trademarks
> from two different countires that look almost the same? Is there a
> mechanism that will only allow BIMI logos to be displayed in cerrtain
> countries where said Registered Trademark is protected? Will there
> be enforcement to make sure all vendors adhere to implementing BIMI
> correctly in this manner? Or, if a Registered Trademark is only
> registered in one country, will vendors still be able to display it
> in other countries? Or will the source be the determining factor (in
> which case, what reliable solution does BIMI propose for a company
> using service provider in some other country to deliver their eMail)?
> 
> Keeping things simpler, open, and lowering the bar to be more
> inclusive are, in my opinion, some of the more important factors in
> BIMI's future success. Otherwise, it just looks like an attempt to
> make money (which is how at least some people who've looked into it
> seem to perceive it at present).
> 
> (If BIMI 

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Randolf Richardson, Postmaster via mailop]

We looked into it and publish our own default BIMI record even 
though we didn't pay the enormous amount money required to one of two 
Certificate Authorities.

If anyone is curious to see what the record looks, use this command:

dig txt default._bimi.inter-corporate.com

The results should include:

;; ANSWER SECTION:
default._bimi.inter-corporate.com. 3600 IN TXT
"v=BIMI1; 
l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg; a=;"

It basically just links to an SVG version of the logo from our main 
web site (which is also in the same DNS zone).

Note:  The "a=" portion normally includes a URI to what's called the 
"VMC/Assertion record" in the form of a typical .pem file.  Ours is 
blank because we don't have the needed file for this.

We decided to keep this because I read that some webmail clients are 
planning to support BIMI without checking for certificates, or, 
perhaps, also displaying a little lock icon in the corner of the 
sender's BIMI-style logo image where certification is verified.

The BIMI Group provides an online checking tool that displays our 
logo (just search for "inter-corporate.com" to see ours):

BIMI LookUp & Generator :: Check compliance w/ BIMI standards
https://www.bimigroup.org/bimi-generator/

Our logo is shown near the end of the report, and for ours there's 
an indication that we comply, but there's also this warning:

"Note: While your BIMI record is compliant, it doesn't include 
a 
Verified Mark Certificate that may be required by some mailbox 
providers."

What's missing from BIMI in its current form?  The option for mail 
server oparators to use the same TLS certificates that we're already 
using for our mail servers (and web servers, and FTP servers, etc.).

It makes less sense to me to involve a different CA just for one 
tiny little image because then that's more technology that has to be 
administered, managed, troubleshooted, implemented, etc., and paid 
for separately.  For eMail systems that host mlutiple domains and 
clients, BIMI is not an attractive option in its current state.

If BIMI is to be taken as an open standard, then it needs to embrace 
openness so that the TLS certificates issued by all CAs (including 
commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI 
gaining wider adoption.

The "must be a Registered Trademark" requirement is too expensive 
for a lot of small businesses.  A copyrighted logo is already 
sufficient to provide legal protections in many scenarios (depending 
on jurisdiction, etc.), so the bar is too high as it is -- DMCA 
violation notices should be taken seriously regardless of whether the 
intellectual property (such as an organization's logo) is protected 
under copyright, servicemark, or trademark property mechanisms.

Another problem with limiting the scope of intellectual property 
protection to a Registered Trademark is that trademark applications 
can also be rejected even though a logo is already copyrighted, and 
the reasons can vary based on a variety of factors, including 
different jurisdictional regulations, local and/or national laws that 
limit free expression, cultural sensitivity policies, delays due to 
fraudulent disputes submitted by intellectual property trolls, etc.

Also:  How does BIMI intend to resolve valid Registered Trademarks 
from two different countires that look almost the same?  Is there a 
mechanism that will only allow BIMI logos to be displayed in cerrtain 
countries where said Registered Trademark is protected?  Will there 
be enforcement to make sure all vendors adhere to implementing BIMI 
correctly in this manner?  Or, if a Registered Trademark is only 
registered in one country, will vendors still be able to display it 
in other countries?  Or will the source be the determining factor (in 
which case, what reliable solution does BIMI propose for a company 
using service provider in some other country to deliver their eMail)?

Keeping things simpler, open, and lowering the bar to be more 
inclusive are, in my opinion, some of the more important factors in 
BIMI's future success.  Otherwise, it just looks like an attempt to 
make money (which is how at least some people who've looked into it 
seem to perceive it at present).

(If BIMI doesn't lower the bar, then perhaps someone will be 
motivated to create an alternative standard that is simpler, open, 
and more inclusive.)

> Hi mailops,
> 
> I am new here because I want to collect some opinion.
> 
> Many bigger mailers are blogging about BIMI.
> As far as I see its exclusively for brands.
> It has 2 big barriers for entry:
> - Expensive bespoke cert oids
> - Registered trademark logos
> 
> As from my perspective of independent mailing between humans: I fear this 
> might