Re: [mailop] BIMI boycott?

[Louis Laureys via mailop]

> I hope that goes well for you (especially if you're planning to
> compete with the big free webmail providers).

Thanks, it's a saturated market for sure! Hoping I can still differentiate
myself is some key areas, like many of you I imagine :)

Groetjes,
Louis


Op zaterdag 13 januari 2024 om 20:01, schreef Randolf Richardson, Postmaster via
mailop :

> > > I find that helpful too.
> >
> > Good to hear I'm not alone haha
> >
> > > Will your eMail client have a free edition option?
> >
> > Afraid not. Will be starting an email host in the future and this will be
> the
> > webmail + mobile apps, it would access the host though an api so won't be
> > compatible with other hosts (but of course my host does support imap). I'm
> > currently its only user (this email is written in it), and there's no public
> > record of it beyond what you're reading now. Once I get my act together and
> > finally start this thing anyone here would of course be welcome to a free
> > account ;)
> 
> I hope that goes well for you (especially if you're planning to
> compete with the big free webmail providers).
> 
> Thanks for the clarification.
> 
> > > If you support BIMI with and without the "a=" parameter containing a
> > > certificate, that would be fantastic. (You could always indicate
> > > with a golden lock in the corner of BIMI logos when they do have
> > > valid certificates specified with the "a=" parameter.)
> >
> > That's the plan! Sorry to disappoint with the whole being an unreleased
> > proprietary email client part.
> 
> Excellent, and no worries about the proprietary part -- I asked
> because I didn't know what the intended outcome is.
> 
> > Groetjes,
> > Louis
> >
> >
> > Op donderdag 11 januari 2024 om 10:10, schreef Randolf Richardson,
> Postmaster
> > via mailop :
> >
> > > > > Simply, nobody needs this.
> > > >
> > > > I've been building an email client and actually do fetch avatars and
> logos
> > > to be
> > > > displayed next to emails. I find it helps me visually identify emails
> > > easier,
> > > > it's a lot less taxing on the brain than reading sender names or
> addresses.
> > > Of
> > > > course in my case I'm also scraping gravatar and favicons, so it doesn't
> > > have
> > > > much to do with BIMI.
> > >
> > > I find that helpful too.
> > >
> > > Will your eMail client have a free edition option? If so, please do
> > > share a link to it here (or eMail me directly) because I'd be happy
> > > to consider including it in the list of eMail client software options
> > > that we provide to our users (and also include it in the "Resources"
> > > section of the Canadian Lumber Cartel web site).
> > >
> > > (On PCs, most of our users are either using OutLook, Thunderbird, or
> > > our webmail option. A few are using other software, including
> > > Sylpheed, Pegasus Mail, and some others I don't recall the names of.)
> > >
> > > > Just wanted to add that I actually like it for visual clarity. Though I
> > > would
> > > > have liked a more general avatar implementation not geared towards
> > > businesses.
> > >
> > > If you support BIMI with and without the "a=" parameter containing a
> > > certificate, that would be fantastic. (You could always indicate
> > > with a golden lock in the corner of BIMI logos when they do have
> > > valid certificates specified with the "a=" parameter.)
> > >
> > > > Groetjes,
> > > > Louis
> > > >
> > > >
> > > > Op woensdag 10 januari 2024 om 18:18, schreef Jaroslaw Rafa via mailop
> > > >  [mailop@mailop.org]]>:
> > > >
> > > > > Dnia 10.01.2024 o godz. 11:32:36 Seth Blank via mailop pisze:
> > > > > > The hope is that as BIMI gets more widely adopted, the cost (and
> > > > > > automation) of the logo validation drops. Time will tell.
> > > > > >
> > > > > > Of course, for broader adoption, we also need to progress beyond
> > > > > > trademarks, which have their own cost and timeliness issues. The
> working
> > > > > > group is leaning heavily into this, as its our top priority to make
> BIMI
> > > > > > more broadly accessible.
> > > > > >
> > > > > > This covers our technical intent:
> > > > > > https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00]
> > > [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00]]
> > > > > [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00]
> > > [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00]]] and
> > > > >
> > > > > The document fails to convincingly answer THE one basic question:
> > > > >
> > > > > WHY in the hell is such a strange feature needed at all and for whom?
> > > > >
> > > > > As the OP has written, the only ones that may be interested in this
> may be
> > > > > marketers. Nobody else needs any logos, 

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Randolf Richardson, Postmaster via mailop]

> On 10.01.2024 at 21:59 Randolf Richardson, Postmaster via mailop
> wrote:
> 
> > What's missing from BIMI in its current form?  The option
> > for mail server oparators to use the same TLS certificates that
> > we're already using for our mail servers (and web servers,
> > and FTP servers, etc.).
> 
> A server certificate only verifies domain ownership. It does
> not include any logos, so it's not suitable to authenticate a
> BIMI selector. Therefor a server certificate cannot be used
> as evidence whether a domain is entitled to use a certain logo
> or not.

Correct.

The requirement that a logo's source be encrypted by a TLS (SSL) 
certificate that is valid for the domain of the sender is doable, 
though.  Disallowing redirection to a different domain name (that's 
not covered by SNI) is also doable.

I've also seen some discussion on using a TLS or SSL certificate to 
calculate a signature or fingerprint on an arbitrarily selected file, 
which cover examples of using OpenSSL commands to do it, but I 
haven't looked into this.

> Besides AFAIK the list price for a Verified Mark Certificate
> is 1500$. Depending on other contracts which a company
> might already have with the CA they'd probably receive a 10% to
> 90% discount. Even without any discount, 1500$ per year is
> not really something which I would consider a barrier for
> anyone but very small shops. Even a 3 person business will
> probably pay more for coffee than for the  certificate per year.

The price for registering a trademark in Canada is CAD$347.35 
(USD$259.72 according to Google on 2024-Jan-13), and, as I recall, 
this covers 15 years (and then it needs to be renewed again for the 
next 15 years, probably for the same price or whatever the 
registration price is at that time).

The cost for BIMI's "Verified Mark" certificate for 15 years (to 
match the registered trademark cost) would be USD$22,500.00, which is 
approximately 87 times more expensive.

People are right to be concerned about the costs of certifying their 
BIMI logos because it's so far out of touch with what it acdtually 
costs to get a registered trademark.

If the cost of the certificates was more in line with the cost of 
registering a trademark, then people probably wouldn't be so inclined 
to wonder if this might be yet another money making scheme.

-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Randolf Richardson, Postmaster via mailop]

> > I find that helpful too.
> 
> Good to hear I'm not alone haha
> 
> > Will your eMail client have a free edition option?
> 
> Afraid not. Will be starting an email host in the future and this will be the
> webmail + mobile apps, it would access the host though an api so won't be
> compatible with other hosts (but of course my host does support imap). I'm
> currently its only user (this email is written in it), and there's no public
> record of it beyond what you're reading now. Once I get my act together and
> finally start this thing anyone here would of course be welcome to a free
> account ;)

I hope that goes well for you (especially if you're planning to 
compete with the big free webmail providers).

Thanks for the clarification.

> > If you support BIMI with and without the "a=" parameter containing a
> > certificate, that would be fantastic. (You could always indicate
> > with a golden lock in the corner of BIMI logos when they do have
> > valid certificates specified with the "a=" parameter.)
> 
> That's the plan! Sorry to disappoint with the whole being an unreleased
> proprietary email client part.

Excellent, and no worries about the proprietary part -- I asked 
because I didn't know what the intended outcome is.

> Groetjes,
> Louis
> 
> 
> Op donderdag 11 januari 2024 om 10:10, schreef Randolf Richardson, Postmaster
> via mailop :
> 
> > > > Simply, nobody needs this.
> > >
> > > I've been building an email client and actually do fetch avatars and logos
> > to be
> > > displayed next to emails. I find it helps me visually identify emails
> > easier,
> > > it's a lot less taxing on the brain than reading sender names or 
> > > addresses.
> > Of
> > > course in my case I'm also scraping gravatar and favicons, so it doesn't
> > have
> > > much to do with BIMI.
> > 
> > I find that helpful too.
> > 
> > Will your eMail client have a free edition option? If so, please do
> > share a link to it here (or eMail me directly) because I'd be happy
> > to consider including it in the list of eMail client software options
> > that we provide to our users (and also include it in the "Resources"
> > section of the Canadian Lumber Cartel web site).
> > 
> > (On PCs, most of our users are either using OutLook, Thunderbird, or
> > our webmail option. A few are using other software, including
> > Sylpheed, Pegasus Mail, and some others I don't recall the names of.)
> > 
> > > Just wanted to add that I actually like it for visual clarity. Though I
> > would
> > > have liked a more general avatar implementation not geared towards
> > businesses.
> > 
> > If you support BIMI with and without the "a=" parameter containing a
> > certificate, that would be fantastic. (You could always indicate
> > with a golden lock in the corner of BIMI logos when they do have
> > valid certificates specified with the "a=" parameter.)
> > 
> > > Groetjes,
> > > Louis
> > >
> > >
> > > Op woensdag 10 januari 2024 om 18:18, schreef Jaroslaw Rafa via mailop
> > > :
> > >
> > > > Dnia 10.01.2024 o godz. 11:32:36 Seth Blank via mailop pisze:
> > > > > The hope is that as BIMI gets more widely adopted, the cost (and
> > > > > automation) of the logo validation drops. Time will tell.
> > > > >
> > > > > Of course, for broader adoption, we also need to progress beyond
> > > > > trademarks, which have their own cost and timeliness issues. The 
> > > > > working
> > > > > group is leaning heavily into this, as its our top priority to make 
> > > > > BIMI
> > > > > more broadly accessible.
> > > > >
> > > > > This covers our technical intent:
> > > > > https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> > [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00]
> > > > [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> > [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00]] and
> > > >
> > > > The document fails to convincingly answer THE one basic question:
> > > >
> > > > WHY in the hell is such a strange feature needed at all and for whom?
> > > >
> > > > As the OP has written, the only ones that may be interested in this may 
> > > > be
> > > > marketers. Nobody else needs any logos, avatars etc. displayed alongside
> > the
> > > > email headers. There is a reason why the early attempt at this - I'm
> > talking
> > > > about the X-Face header, which you even refer to in this document - 
> > > > never
> > > > gained any popularity. Simply, nobody needs this. The fact that Gmail
> > > > implemented in its web client putting up some images alongside email
> > headers
> > > > (which, by the way, show anything non-default only if the sender is
> > another
> > > > Gmail user and has a profile picture defined in his/her account) 
> > > > shouldn't
> > > > be any reference nor guide for designing email applications at all. 
> > > > NOBODY
> > > > NEEDS THESE IMAGES.
> > > >
> > > > Also, I see no feasible way - neither now nor in the future - to use it
> > any
> > 

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Gellner, Oliver via mailop]

On 10.01.2024 at 21:59 Randolf Richardson, Postmaster via mailop wrote:

> What's missing from BIMI in its current form?  The option for mail server 
> oparators to use the same TLS certificates that we're already using for our 
> mail servers (and web servers, and FTP servers, etc.).

A server certificate only verifies domain ownership. It does not include any 
logos, so it's not suitable to authenticate a BIMI selector. Therefor a server 
certificate cannot be used as evidence whether a domain is entitled to use a 
certain logo or not.

Besides AFAIK the list price for a Verified Mark Certificate is 1500$. 
Depending on other contracts which a company might already have with the CA 
they'd probably receive a 10% to 90% discount. Even without any discount, 1500$ 
per year is not really something which I would consider a barrier for anyone 
but very small shops. Even a 3 person business will probably pay more for 
coffee than for the  certificate per year.

--
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Gellner, Oliver via mailop]

On 11.01.2024 at 17:18 Ángel via mailop wrote:

> On 2024-01-10 at 20:38 +, Gellner, Oliver wrote:
>> Either way, BIMI is not suitable for reader tracking as you cannot
>> provide different logo URIs for each recipient.

> Sorry, but it would be possible:
>> Domain Owners can specify which other selector to use on a per-
>> message basis by utilizing the BIMI-Selector Header

> You could set a different selector per email message sent. You could manage 
> that with a wildcard dns entry and check the dns server logs.

> However, the draft is specified in such manner that the fetching would be 
> done by the MTA, so the BIMI check and fetching wouldn't provide information 
> to the senders.

Yes and even if the MUA fetched the logo directly, tracking would only be 
possible if the receiver displayed unverified BIMI logos. Otherwise the sender 
would have to acquire a different VMC for each selector / recipient, which 
wouldn't scale. There are a lot of ways to track email receivers, BIMI isn't 
one of them.

--
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Louis Laureys via mailop]

> Then the recipient can choose to use a MUA that supports avatars (of course,
> there should always be the possibility to turn them off in configuration -
> which also solves the issue of tracking; if someone doesn't want to be
> tracked, he/she can turn the avatar support off in options, and their MUA
> won't fetch any avatar images from any website).

Of course! In my case avatars can be disabled, it's user preference whether to
have them or not. The avatars are also cached for a month or more on the server
side, are never requested directly from the client as to expose the user IP, and
only ever fetch the root domain to avoid tracking through per user subdomains.
Tracking would still be possible if you use a single domain specifically to
track a single user, but my thinking is that the chances of that are fairly low.

> But what would be actually desirable, is exactly what you wrote - an
> implementation not geared towards businesses. BIMI is nothing like this, as
> John clearly explained below it is and always will be geared towards
> businesses

Yep! To be fair, a lot of people receive mostly B2C email. So in the case of a
recipient wanting to see avatars, it's still quite nice to have as opposed to no
standard at all. A general avatar standard would have been nicer in my opinion.
But then, perhaps the big players would not have adopted it because there are no
verification benefits? Not sure.



Groetjes,
Louis


Op donderdag 11 januari 2024 om 12:19, schreef Jaroslaw Rafa via mailop
:

> Dnia 10.01.2024 o godz. 22:57:21 Louis Laureys via mailop pisze:
> > Just wanted to add that I actually like it for visual clarity. Though I
> would
> > have liked a more general avatar implementation not geared towards
> businesses.
> 
> If someone, *as a recipient*, likes having avatars next to email, I have
> nothing against it - but *only if it's totally optional and decided upon by
> recipient* (and by recipient, I mean the individual person and not the
> organization that runs the receiving mail server). Then the recipient can
> choose to use a MUA that supports avatars (of course, there should always be
> the possibility to turn them off in configuration - which also solves the
> issue of tracking; if someone doesn't want to be tracked, he/she can turn
> the avatar support off in options, and their MUA won't fetch any avatar
> images from any website).
> 
> But what would be actually desirable, is exactly what you wrote - an
> implementation *not geared towards businesses*. BIMI is nothing like this,
> as John clearly explained below it *is and always will be* geared towards
> businesses. And for me BIMI looks more like push from the *senders* (and in
> particular, big marketing senders) on people to use the avatars (and use
> them only in a particular way dictated by big businesses), rather than
> a response to an *actual need* from *recipients* to use them.
> 
> Dnia 10.01.2024 o godz. 21:21:16 John Levine via mailop pisze:
> > While it would be nice to make BIMI available to small organizations
> > without costing a lot of money, the question "is entity A allowed to
> > show logo X" is very hard even for people, and not amenable to
> > authomation. In a few cases where the entity has already paid to put
> > the logo in a trademark database it's easier but that sure doesn't
> > scale.
> 
> There is a very real danger (and this is even predicted in the document
> linked in the previous email) that adoption of BIMI by big mail providers
> will serve as another "antispam" measure; messages having verified BIMI mark
> would be treated by ISPs as more "trustworthy" and "reputable" than the
> messages that don't. This would clearly lead to dividing email service in
> two categories: "first class" would be an email from businesses that are big
> and rich enough that they can afford having their email BIMI certified,
> which would give them a kind of "guarantee" for their emails to be delivered
> to all the big ISPs - and a "second class" consisiting of all the other
> senders, who lack BIMI verification, and thus can only hope to have luck
> that their email gets through the filters (which will happen gradually less
> and less often).
> 
> As it has happened with DMARC, which also in the beginning - as the document
> states - was purely optional and meant only for specific, often-phished
> domains.
> 
> This is a very bad perspective, and BIMI is in my opinion a road straight to
> this direction.
> --
> Regards,
> Jaroslaw Rafa
> r...@rafa.eu.org [r...@rafa.eu.org]
> --
> "In a million years, when kids go to school, they're gonna know: once there
> was a Hushpuppy, and she lived with her daddy in the Bathtub."
> ___
> mailop mailing list
> mailop@mailop.org [mailop@mailop.org]
> https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]___
mailop mailing list
mailop@mailop.org

Re: [mailop] BIMI boycott?

[Louis Laureys via mailop]

> I find that helpful too.

Good to hear I'm not alone haha

> Will your eMail client have a free edition option?

Afraid not. Will be starting an email host in the future and this will be the
webmail + mobile apps, it would access the host though an api so won't be
compatible with other hosts (but of course my host does support imap). I'm
currently its only user (this email is written in it), and there's no public
record of it beyond what you're reading now. Once I get my act together and
finally start this thing anyone here would of course be welcome to a free
account ;)

> If you support BIMI with and without the "a=" parameter containing a
> certificate, that would be fantastic. (You could always indicate
> with a golden lock in the corner of BIMI logos when they do have
> valid certificates specified with the "a=" parameter.)

That's the plan! Sorry to disappoint with the whole being an unreleased
proprietary email client part.



Groetjes,
Louis


Op donderdag 11 januari 2024 om 10:10, schreef Randolf Richardson, Postmaster
via mailop :

> > > Simply, nobody needs this.
> >
> > I've been building an email client and actually do fetch avatars and logos
> to be
> > displayed next to emails. I find it helps me visually identify emails
> easier,
> > it's a lot less taxing on the brain than reading sender names or addresses.
> Of
> > course in my case I'm also scraping gravatar and favicons, so it doesn't
> have
> > much to do with BIMI.
> 
> I find that helpful too.
> 
> Will your eMail client have a free edition option? If so, please do
> share a link to it here (or eMail me directly) because I'd be happy
> to consider including it in the list of eMail client software options
> that we provide to our users (and also include it in the "Resources"
> section of the Canadian Lumber Cartel web site).
> 
> (On PCs, most of our users are either using OutLook, Thunderbird, or
> our webmail option. A few are using other software, including
> Sylpheed, Pegasus Mail, and some others I don't recall the names of.)
> 
> > Just wanted to add that I actually like it for visual clarity. Though I
> would
> > have liked a more general avatar implementation not geared towards
> businesses.
> 
> If you support BIMI with and without the "a=" parameter containing a
> certificate, that would be fantastic. (You could always indicate
> with a golden lock in the corner of BIMI logos when they do have
> valid certificates specified with the "a=" parameter.)
> 
> > Groetjes,
> > Louis
> >
> >
> > Op woensdag 10 januari 2024 om 18:18, schreef Jaroslaw Rafa via mailop
> > :
> >
> > > Dnia 10.01.2024 o godz. 11:32:36 Seth Blank via mailop pisze:
> > > > The hope is that as BIMI gets more widely adopted, the cost (and
> > > > automation) of the logo validation drops. Time will tell.
> > > >
> > > > Of course, for broader adoption, we also need to progress beyond
> > > > trademarks, which have their own cost and timeliness issues. The working
> > > > group is leaning heavily into this, as its our top priority to make BIMI
> > > > more broadly accessible.
> > > >
> > > > This covers our technical intent:
> > > > https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00]
> > > [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00]] and
> > >
> > > The document fails to convincingly answer THE one basic question:
> > >
> > > WHY in the hell is such a strange feature needed at all and for whom?
> > >
> > > As the OP has written, the only ones that may be interested in this may be
> > > marketers. Nobody else needs any logos, avatars etc. displayed alongside
> the
> > > email headers. There is a reason why the early attempt at this - I'm
> talking
> > > about the X-Face header, which you even refer to in this document - never
> > > gained any popularity. Simply, nobody needs this. The fact that Gmail
> > > implemented in its web client putting up some images alongside email
> headers
> > > (which, by the way, show anything non-default only if the sender is
> another
> > > Gmail user and has a profile picture defined in his/her account) shouldn't
> > > be any reference nor guide for designing email applications at all. NOBODY
> > > NEEDS THESE IMAGES.
> > >
> > > Also, I see no feasible way - neither now nor in the future - to use it
> any
> > > meaningful way in person-to-person communication, which is the topic OP
> > > asked about, and you seem to have ignored it completely in your answer.
> The
> > > document you are linking to isn't even trying to address this use case! It
> > > speaks all the time about "organizations" or "brands" and their logotypes,
> > > like companies or organizations were the only senders of emails. Or maybe
> > > this is the actual intent? To make individual people only reicipents of
> > > emails, without the ability to send?
> > >
> > > In section 3.3 you even 

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Louis Laureys via mailop]

Hey all,

> I might have missed something, but wouldn't that be a phisher's wet dream?

It depends on the implementation really. A lot of parallels can be drawn to
things email clients and other platforms have been doing for years. Email
clients have already been using Gravatar, and on almost every social media
platform or forum you can set your own name and avatar. It's not much different.

> I don't think that the regular user will check if the little extra lock is
> there on the icon. They'll see a version of the paypal logo on the phish and
> have an extra feeling of safety.

Maybe, maybe not. I feel about 70% of all commercial emails in my client have
logos. It's essentially same as the sender name being "PayPal". There's really
no implicit extra trust about there being a logo in this context.

> how the user is supposed to distinguish which avatars are verified BIMI logos,
> and which ones come from a totally different source?

An indicator. It's probably not as effective as only ever showing BIMI verified,
but it's been standard on other platforms for a while now. It's not the solution
to all problems, but it does seem like a design pattern that users will
recognize. I have not done any user research into this though, this is just my
thought process at the moment.

> Otherwise, the non-BIMI avatars displayed along the messages, mixed with BIMI
> ones, will just facilitate phishing instead of making it more difficult

I'm honestly not sure whether that was a great promise to begin with. It's an
attractive one, for sure. BIMI being mixed with other avatars was always a thing
that would probably happen. Gravatar is already widely used, and Gmail shows
avatars for other google users (as far as I know).



I've implemented it this way into my client because I liked being able to more
visually differentiate emails, and reduce the mental load of having to scan
text. It initially had absolutely nothing to do with BIMI, in fact I added BIMI
after I added the other sources. But in my case BIMI can still add security
through the verification indicator, which I will be adding. I've hidden avatars
for messages in the junk folder as well, as a precaution.

Anecdotally, none of the mass phishing emails I've received have had the correct
logo associated. It's usually compromised credentials without access to the
domain, and they don't seem to go through the effort of setting up Gravatar. Of
course this really means nothing for targeted attacks by actually competent
phishers, but I thought it was fun to see. It's something I wondered about when
I started adding the avatars.



Groetjes,
Louis


Op donderdag 11 januari 2024 om 20:43, schreef Tim Starr via mailop
:

> They can already rip people off, w/out BIMI. BIMI limits their ability to do
> so in two ways:
> 
> 
> 1) It raises the cost, because BIMI setup costs more.
> 2) It makes it harder for scammers to impersonate trusted brands.
> 
> 
> -Tim
> 
> On Thu, Jan 11, 2024 at 12:58 PM Randolf Richardson, Postmaster via mailop
>  wrote:
> 
> 
> > > I might have missed something, but wouldn't that be a phisher's wet dream?
> > 
> >         Indeed, and because the BIMI record references a URI to load the
> > logo from, so the scammers (spammers, phishers, malware/virus
> > distributors, etc.) could simply specify a different logo file with a
> > recognized brand to make their bad eMail appear legitimate.
> > 
> > > Most spammers know very well how to do a mail with valid DMARC. So, now
> > > they only need to send a valid mail from any throw away cheap domain and
> > > in their BIMI add the logo of paypal?
> > 
> >         Yes.
> > 
> > > I understand it's not great to have to pay for the
> > > verification/certification, but leaving the door open to abuse is a
> > > dangerous path to take.
> > 
> >         Some scammers make a lot of money ripping people off.  They could
> > easily afford set up a company, get a Trademark, and then use a
> > different logo image when sending their junk eMails.
> > 
> >         So, once this happens often enough, end-users will just not trust
> > the BIMI logos to be reliable and it will be another internet feature
> > that security educators will recommend be taken with a grain of salt.
> > 
> > > Being on the antispam side, I would hate to have to start implementing
> > > BIMI spoof checks.
> > 
> >         I agree.  Even if someone else makes a SpamAssassin plug-in or a
> > milter, it still adds to the overall complexity and will have a
> > potentially-noticeable impact on busier systems ... and then everyone
> > has to pay indirectly for BIMI with slower performance of system
> > upgrades to counter the slower performance.
> > 
> > > Regards,
> > > Laurent
> > >
> > > On 11.01.24 00:05, Louis Laureys via mailop wrote:
> > > >      We decided to keep this because I read that some webmail clients
> > are
> > > >      planning to support BIMI without checking for certificates, or,
> > > >      perhaps, also displaying a little lock 

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Tim Starr via mailop]

They can already rip people off, w/out BIMI. BIMI limits their ability to
do so in two ways:

1) It raises the cost, because BIMI setup costs more.
2) It makes it harder for scammers to impersonate trusted brands.

-Tim

On Thu, Jan 11, 2024 at 12:58 PM Randolf Richardson, Postmaster via mailop <
mailop@mailop.org> wrote:

> > I might have missed something, but wouldn't that be a phisher's wet
> dream?
>
> Indeed, and because the BIMI record references a URI to load the
> logo from, so the scammers (spammers, phishers, malware/virus
> distributors, etc.) could simply specify a different logo file with a
> recognized brand to make their bad eMail appear legitimate.
>
> > Most spammers know very well how to do a mail with valid DMARC. So, now
> > they only need to send a valid mail from any throw away cheap domain and
> > in their BIMI add the logo of paypal?
>
> Yes.
>
> > I understand it's not great to have to pay for the
> > verification/certification, but leaving the door open to abuse is a
> > dangerous path to take.
>
> Some scammers make a lot of money ripping people off.  They could
> easily afford set up a company, get a Trademark, and then use a
> different logo image when sending their junk eMails.
>
> So, once this happens often enough, end-users will just not trust
> the BIMI logos to be reliable and it will be another internet feature
> that security educators will recommend be taken with a grain of salt.
>
> > Being on the antispam side, I would hate to have to start implementing
> > BIMI spoof checks.
>
> I agree.  Even if someone else makes a SpamAssassin plug-in or a
> milter, it still adds to the overall complexity and will have a
> potentially-noticeable impact on busier systems ... and then everyone
> has to pay indirectly for BIMI with slower performance of system
> upgrades to counter the slower performance.
>
> > Regards,
> > Laurent
> >
> > On 11.01.24 00:05, Louis Laureys via mailop wrote:
> > >  We decided to keep this because I read that some webmail clients
> are
> > >  planning to support BIMI without checking for certificates, or,
> > >  perhaps, also displaying a little lock icon in the corner of the
> > >  sender's BIMI-style logo image where certification is verified.
> > >
> > > This is exactly what I have in mind for my client, thanks for
> publishing your
> > > logo in an easily accessible and standard way :)
> > >
> > > Groetjes,
> > > Louis
> > >
> > >
> >
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
>
>
> --
> Postmaster - postmas...@inter-corporate.com
> Randolf Richardson, CNA - rand...@inter-corporate.com
> Inter-Corporate Computer & Network Services, Inc.
> Vancouver, British Columbia, Canada
> https://www.inter-corporate.com/
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Benny Pedersen via mailop]

Randolf Richardson, Postmaster via mailop skrev den 2024-01-11 19:52:
I might have missed something, but wouldn't that be a phisher's wet 
dream?


Indeed, and because the BIMI record references a URI to load the
logo from, so the scammers (spammers, phishers, malware/virus
distributors, etc.) could simply specify a different logo file with a
recognized brand to make their bad eMail appear legitimate.


lets hope this is resolved to be same domain as sasl sender, where dkim 
is pass, bimi have no rule if its just random other domains is valid


hopefully no mistakes there

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Randolf Richardson, Postmaster via mailop]

> I might have missed something, but wouldn't that be a phisher's wet dream?

Indeed, and because the BIMI record references a URI to load the 
logo from, so the scammers (spammers, phishers, malware/virus 
distributors, etc.) could simply specify a different logo file with a 
recognized brand to make their bad eMail appear legitimate.

> Most spammers know very well how to do a mail with valid DMARC. So, now 
> they only need to send a valid mail from any throw away cheap domain and 
> in their BIMI add the logo of paypal?

Yes.

> I understand it's not great to have to pay for the 
> verification/certification, but leaving the door open to abuse is a 
> dangerous path to take.

Some scammers make a lot of money ripping people off.  They could 
easily afford set up a company, get a Trademark, and then use a 
different logo image when sending their junk eMails.

So, once this happens often enough, end-users will just not trust 
the BIMI logos to be reliable and it will be another internet feature 
that security educators will recommend be taken with a grain of salt.

> Being on the antispam side, I would hate to have to start implementing 
> BIMI spoof checks.

I agree.  Even if someone else makes a SpamAssassin plug-in or a 
milter, it still adds to the overall complexity and will have a 
potentially-noticeable impact on busier systems ... and then everyone 
has to pay indirectly for BIMI with slower performance of system 
upgrades to counter the slower performance.

> Regards,
> Laurent
> 
> On 11.01.24 00:05, Louis Laureys via mailop wrote:
> >  We decided to keep this because I read that some webmail clients are
> >  planning to support BIMI without checking for certificates, or,
> >  perhaps, also displaying a little lock icon in the corner of the
> >  sender's BIMI-style logo image where certification is verified.
> > 
> > This is exactly what I have in mind for my client, thanks for publishing 
> > your
> > logo in an easily accessible and standard way :)
> > 
> > Groetjes,
> > Louis
> > 
> > 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Tim Starr via mailop]

You seem to be taking a religious position based on your perception of
"need." If this feature is un-needed, why did Google and Yahoo do it? They
think their users want it, that's why they spent time building this feature
into their UIs, and why they keep it there. Among other things, it serves
as a visible indicator of email that is both authenticated and passes
DMARC. If you also object to authentication and DMARC, then you're making
yourself even more of a minority advocate. I do not expect any such boycott
to get widespread adoption.

Tim Starr

On Wed, Jan 10, 2024 at 11:34 AM Jaroslaw Rafa via mailop 
wrote:

> Dnia 10.01.2024 o godz. 11:32:36 Seth Blank via mailop pisze:
> > The hope is that as BIMI gets more widely adopted, the cost (and
> > automation) of the logo validation drops. Time will tell.
> >
> > Of course, for broader adoption, we also need to progress beyond
> > trademarks, which have their own cost and timeliness issues. The working
> > group is leaning heavily into this, as its our top priority to make BIMI
> > more broadly accessible.
> >
> > This covers our technical intent:
> > https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00 and
>
> The document fails to convincingly answer THE one basic question:
>
> WHY in the hell is such a strange feature needed at all and for whom?
>
> As the OP has written, the only ones that may be interested in this may be
> marketers. Nobody else needs any logos, avatars etc. displayed alongside
> the
> email headers. There is a reason why the early attempt at this - I'm
> talking
> about the X-Face header, which you even refer to in this document - never
> gained any popularity. Simply, nobody needs this. The fact that Gmail
> implemented in its web client putting up some images alongside email
> headers
> (which, by the way, show anything non-default only if the sender is another
> Gmail user and has a profile picture defined in his/her account) shouldn't
> be any reference nor guide for designing email applications at all. NOBODY
> NEEDS THESE IMAGES.
>
> Also, I see no feasible way - neither now nor in the future - to use it any
> meaningful way in person-to-person communication, which is the topic OP
> asked about, and you seem to have ignored it completely in your answer. The
> document you are linking to isn't even trying to address this use case! It
> speaks all the time about "organizations" or "brands" and their logotypes,
> like companies or organizations were the only senders of emails. Or maybe
> this is the actual intent? To make individual people only reicipents of
> emails, without the ability to send?
>
> In section 3.3 you even predict that BIMI is about to go the same path
> DMARC
> went - "DMARC started with limited use to protect heavily phished domains",
> and now we have arrived to the point when you almost can't send mail to any
> big mail provider without having DMARC properly set up. You predict that
> likely the same will happen for BIMI, which means, you won't be able to
> send
> mail to any of the "big players" if you don't have BIMI set up. Which
> *will*
> cost money - you are also clear about it. Is the goal to make email a
> closed
> ecosystem in which only the big players can participate?
>
> This was a bad idea from the beginning (I would even say, a crazy idea) and
> will still be a bad idea no matter how much work and effort you put into
> it.
> So maybe it's better not to waste that effort at all and direct it towards
> something actually useful.
> --
> Regards,
>Jaroslaw Rafa
>r...@rafa.eu.org
> --
> "In a million years, when kids go to school, they're gonna know: once there
> was a Hushpuppy, and she lived with her daddy in the Bathtub."
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Jaroslaw Rafa via mailop]

Dnia 11.01.2024 o godz. 14:34:16 Laurent S. via mailop pisze:
> The trademark verification is only for those that pay for it. Nothing 
> forbids a MUA from displaying an unverified BIMI. Most are luckily not 
> doing it (yet), I just want to warn that if this becomes common, it will 
> be abused for sure. I don't think that the regular user will check if 
> the little extra lock is there on the icon. They'll see a version of the 
> paypal logo on the phish and have an extra feeling of safety.

Dnia 11.01.2024 o godz. 17:52:34 G. Miliotis via mailop pisze:
> What I believe will happen is most non-big mail client apps will
> support BIMI if they support avatars, otherwise, they won't, cause
> the arguments on the receiver side are the same for both features.
> 
> I don't buy the "promoting authentication" argument.

And it's clearly visible from the Laurent's mail that if MUAs will display
the unverified BIMI logos (and what would prohibit them from that?) the
"authentication" factor can be even weaker than with no avatars at all -
because user who is convinced that the logo being displayed means that the
message is genuine, may not even look at the actual sender field.

Also, if a hypothetical MUA displays BIMI logos, but also displays avatars
obtained by other means (one of the users in the thread mentioned a MUA he
develops that uses eg. favicons, or Gravatar service for that purpose), how
the user is supposed to distinguish which avatars are verified BIMI logos,
and which ones come from a totally different source?

Trying to look at the "broad picture", I realized that the whole concept of
BIMI may actually work as designed *only* if MUA developers could be somehow
*legally prohibited* from displaying any other avatars than verified BIMI
logos. Which not only seems totalitarian in nature, but also politically
completely impossible to actually implement.

Otherwise, the non-BIMI avatars displayed along the messages, mixed with
BIMI ones, will just facilitate phishing instead of making it more
difficult. All the manual work on verifying logos and money invested into
it will be basically a wasted effort.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Ángel via mailop]

On 2024-01-10 at 20:38 +, Gellner, Oliver wrote:
> > Its also may be yet another reader-engagement tracker. Why do those
> > things always have to be out of band.
> 
> Well, there’s no automated way to connect a logo to a domain. The
> BIMI group has decided to build upon the work of trademark offices to
> connect logos to companies and then set up a manual verification
> process to connect the company to a domain. There might be other ways
> to do this, but you cannot just use DNS or a message header to link a
> logo to a domain as this would be trivial to exploit.
> 
> Either way, BIMI is not suitable for reader tracking as you cannot
> provide different logo URIs for each recipient.

Sorry, but it would be possible:
> Domain Owners can specify which other selector to use on a per-
> message basis by utilizing the BIMI-Selector Header

You could set a different selector per email message sent. You could
manage that with a wildcard dns entry and check the dns server logs.


However, the draft is specified in such manner that the fetching would
be done by the MTA, so the BIMI check and fetching wouldn't provide
information to the senders.
Only if a MUA tried to perform all checks itself (because its mail
server doesn't support BIMI, for instance).

Regards


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[G. Miliotis via mailop]

Greetings.

What I believe will happen is most non-big mail client apps will support 
BIMI if they support avatars, otherwise, they won't, cause the arguments 
on the receiver side are the same for both features.


I don't buy the "promoting authentication" argument. There would be a 
marginal benefit in spreading DMARC via a UI good-to-have feature as a 
carrot, thus combating phishing, but DMARC doesn't need help spreading, 
it's become a requirement by the big mail receivers. So BIMI only 
becomes useful if VMCs are used. Yay, another bureaucracy on top of the 
certificate issuer and domain registration ones. Even more hassle and 
expense for small senders.


The big mail players will adopt BIMI cause their clients (the marketers) 
are proposing it. So eventually anyone without a logo next to their mail 
will be met with suspicion by the users.  Have an e-shop but don't have 
VMC-backed BIMI? You get your logo shown but no blue checkmark on it, 
uh-oh, now you're in the spam folder, oops. Tough to be you.


Eventually, no BIMI = +5% spam chance and life will go on as usual: 
small mail operators and SMBs will be even less in control of the 
deliverability of their mailings while the big senders get even more 
closely coupled to big mail providers.


BIMI is trying to do identity. IMO identity will not be solved in mail 
inbox UIs. It'll come from concerted efforts elsewhere and mail will 
integrate into that.


Regards,
G. Miliotis

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[L. Mark Stone via mailop]

FWIW we went through the trademark process for our logo.

It was time-consuming, but straightforward and not expensive.

We've deployed BIMI, but with a= as the SSL certificates are still quite 
expensive; Digicert's BIMI certificate is half-again as much as their EV 
certificate.

If Digicert et. al. offered a combined EV/BIMI certificate (since much of the 
labor-intensive validation tasks as I understand it are identical for both 
certs), I think that could be an attractive option for many senders.

IMHO the industry has several complementary/overlapping initiatives at various 
stages of maturity and adoption, all intended to better authenticate senders 
and prevent domain spoofing. I fully expect there to be friction, resistance 
and bumps in the road as we all work to minimize illegitimate email -- but 
despite Google, Yahoo, Microsoft etc. being a major source of the inbound spam 
that we see tour and our customers' systems, I applaud their efforts to better 
authenticate senders and prevent domain spoofing. 

I just wish they would apply the same strict rulesets to their outbound email 
streams that they are starting to apply/applying to their inbound email 
streams...

Best regards to all, 
Mark 
_ 
L. Mark Stone, Founder 
North America's Leading Zimbra VAR/BSP/Training Partner 
For Companies With Mission-Critical Email Needs

- Original Message -
From: "Laurent S. via mailop" 
To: "mailop" 
Sent: Thursday, January 11, 2024 9:34:16 AM
Subject: Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, 
and intellectual property law considerations

On 11.01.24 14:59, Udeme via mailop wrote:
> There’s a trademark ownership vetting item that’s part of BIMI implementation.
> Not just *anyone* can get past that. #wink
> 

The trademark verification is only for those that pay for it. Nothing 
forbids a MUA from displaying an unverified BIMI. Most are luckily not 
doing it (yet), I just want to warn that if this becomes common, it will 
be abused for sure. I don't think that the regular user will check if 
the little extra lock is there on the icon. They'll see a version of the 
paypal logo on the phish and have an extra feeling of safety.

Best,
Laurent

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Laurent S. via mailop]

On 11.01.24 14:59, Udeme via mailop wrote:
> There’s a trademark ownership vetting item that’s part of BIMI implementation.
> Not just *anyone* can get past that. #wink
> 

The trademark verification is only for those that pay for it. Nothing 
forbids a MUA from displaying an unverified BIMI. Most are luckily not 
doing it (yet), I just want to warn that if this becomes common, it will 
be abused for sure. I don't think that the regular user will check if 
the little extra lock is there on the icon. They'll see a version of the 
paypal logo on the phish and have an extra feeling of safety.

Best,
Laurent

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Udeme via mailop]

There’s a trademark ownership vetting item that’s part of BIMI
implementation. Not just *anyone* can get past that. #wink

-Udeme

On Thu, Jan 11, 2024 at 5:36 AM Laurent S. via mailop 
wrote:

> I might have missed something, but wouldn't that be a phisher's wet dream?
>
> Most spammers know very well how to do a mail with valid DMARC. So, now
> they only need to send a valid mail from any throw away cheap domain and
> in their BIMI add the logo of paypal?
>
> I understand it's not great to have to pay for the
> verification/certification, but leaving the door open to abuse is a
> dangerous path to take.
>
> Being on the antispam side, I would hate to have to start implementing
> BIMI spoof checks.
>
> Regards,
> Laurent
>
> On 11.01.24 00:05, Louis Laureys via mailop wrote:
> >  We decided to keep this because I read that some webmail clients are
> >  planning to support BIMI without checking for certificates, or,
> >  perhaps, also displaying a little lock icon in the corner of the
> >  sender's BIMI-style logo image where certification is verified.
> >
> > This is exactly what I have in mind for my client, thanks for publishing
> your
> > logo in an easily accessible and standard way :)
> >
> > Groetjes,
> > Louis
> >
> >
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Jaroslaw Rafa via mailop]

Dnia 10.01.2024 o godz. 22:57:21 Louis Laureys via mailop pisze:
> Just wanted to add that I actually like it for visual clarity. Though I would
> have liked a more general avatar implementation not geared towards businesses.

If someone, *as a recipient*, likes having avatars next to email, I have
nothing against it - but *only if it's totally optional and decided upon by
recipient* (and by recipient, I mean the individual person and not the
organization that runs the receiving mail server). Then the recipient can
choose to use a MUA that supports avatars (of course, there should always be
the possibility to turn them off in configuration - which also solves the
issue of tracking; if someone doesn't want to be tracked, he/she can turn
the avatar support off in options, and their MUA won't fetch any avatar
images from any website).

But what would be actually desirable, is exactly what you wrote - an
implementation *not geared towards businesses*. BIMI is nothing like this,
as John clearly explained below it *is and always will be* geared towards
businesses. And for me BIMI looks more like push from the *senders* (and in
particular, big marketing senders) on people to use the avatars (and use
them only in a particular way dictated by big businesses), rather than
a response to an *actual need* from *recipients* to use them.

Dnia 10.01.2024 o godz. 21:21:16 John Levine via mailop pisze:
> While it would be nice to make BIMI available to small organizations
> without costing a lot of money, the question "is entity A allowed to
> show logo X" is very hard even for people, and not amenable to
> authomation. In a few cases where the entity has already paid to put
> the logo in a trademark database it's easier but that sure doesn't
> scale.

There is a very real danger (and this is even predicted in the document
linked in the previous email) that adoption of BIMI by big mail providers
will serve as another "antispam" measure; messages having verified BIMI mark
would be treated by ISPs as more "trustworthy" and "reputable" than the
messages that don't. This would clearly lead to dividing email service in
two categories: "first class" would be an email from businesses that are big
and rich enough that they can afford having their email BIMI certified,
which would give them a kind of "guarantee" for their emails to be delivered
to all the big ISPs - and a "second class" consisiting of all the other
senders, who lack BIMI verification, and thus can only hope to have luck
that their email gets through the filters (which will happen gradually less
and less often).

As it has happened with DMARC, which also in the beginning - as the document
states - was purely optional and meant only for specific, often-phished
domains.

This is a very bad perspective, and BIMI is in my opinion a road straight to
this direction.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Taavi Eomäe via mailop]

On 10/01/2024 19:18, Jaroslaw Rafa via mailop wrote:

As the OP has written, the only ones that may be interested in this may be
marketers. Nobody else needs any logos, avatars etc. displayed alongside the
email headers.


That is certainly an overly bold claim. For a lot of people it makes 
navigating the inbox easier and nicer to look at, it also does make 
phishing a bit harder. We've yet to see how much harder because the 
deployment percentage of good DMARC, not to mention BIMI+VMC, is quite low.



Also, I see no feasible way - neither now nor in the future - to use it any
meaningful way in person-to-person communication, which is the topic OP
asked about, and you seem to have ignored it completely in your answer


It's not really designed for that. It could happen in the form of adding 
the logotype OID to S/MIME certificates, but S/MIME is not that far 
along - the new S/MIME baseline (by the CA/B Forum S/MIME workgroup) is 
really new, and that's just the baseline. Maybe in the future.



Is the goal to make email a closed ecosystem in which only the big players can 
participate?


For context, we at Zone Media have implemented BIMI in our mail server 
and web email client, we have also published a BIMI record with VMC. I'd 
say it's far from being something only "big players" can participate in, 
unless you consider us a big player...


Verifying identity is a difficult problem, maybe it doesn't work out in 
this exact form or way, but it's empirically evident that the problems 
BIMI tries to address are real. Boycotting it for the cost is as silly 
as boycotting entire S/MIME for the same reason.


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Laurent S. via mailop]

I might have missed something, but wouldn't that be a phisher's wet dream?

Most spammers know very well how to do a mail with valid DMARC. So, now 
they only need to send a valid mail from any throw away cheap domain and 
in their BIMI add the logo of paypal?

I understand it's not great to have to pay for the 
verification/certification, but leaving the door open to abuse is a 
dangerous path to take.

Being on the antispam side, I would hate to have to start implementing 
BIMI spoof checks.

Regards,
Laurent

On 11.01.24 00:05, Louis Laureys via mailop wrote:
>  We decided to keep this because I read that some webmail clients are
>  planning to support BIMI without checking for certificates, or,
>  perhaps, also displaying a little lock icon in the corner of the
>  sender's BIMI-style logo image where certification is verified.
> 
> This is exactly what I have in mind for my client, thanks for publishing your
> logo in an easily accessible and standard way :)
> 
> Groetjes,
> Louis
> 
> 

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Randolf Richardson, Postmaster via mailop]

> > We decided to keep this because I read that some webmail clients are
> > planning to support BIMI without checking for certificates, or,
> > perhaps, also displaying a little lock icon in the corner of the
> > sender's BIMI-style logo image where certification is verified.
> 
> This is exactly what I have in mind for my client, thanks for publishing your
> logo in an easily accessible and standard way :)

Excellent!

If you need me to send some test messages, please don't hesitate to 
reach out -- I'll be happy to send a few, or a few dozen, as you 
need, and from a few different domains so you can see what different 
logos look like in an Inbox folder.

> Groetjes,
> Louis
> 
> 
> Op woensdag 10 januari 2024 om 21:58, schreef Randolf Richardson, Postmaster 
> via
> mailop :
> 
> > We looked into it and publish our own default BIMI record even
> > though we didn't pay the enormous amount money required to one of two
> > Certificate Authorities.
> > 
> > If anyone is curious to see what the record looks, use this command:
> > 
> > dig txt default._bimi.inter-corporate.com
> > 
> > The results should include:
> > 
> > ;; ANSWER SECTION:
> > default._bimi.inter-corporate.com. 3600 IN TXT
> > "v=BIMI1; l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg
> > [https://www.inter-corporate.com/images/logo60bimi-iccns.svg]; a=;"
> > 
> > It basically just links to an SVG version of the logo from our main
> > web site (which is also in the same DNS zone).
> > 
> > Note: The "a=" portion normally includes a URI to what's called the
> > "VMC/Assertion record" in the form of a typical .pem file. Ours is
> > blank because we don't have the needed file for this.
> > 
> > We decided to keep this because I read that some webmail clients are
> > planning to support BIMI without checking for certificates, or,
> > perhaps, also displaying a little lock icon in the corner of the
> > sender's BIMI-style logo image where certification is verified.
> > 
> > The BIMI Group provides an online checking tool that displays our
> > logo (just search for "inter-corporate.com" to see ours):
> > 
> > BIMI LookUp & Generator :: Check compliance w/ BIMI standards
> > https://www.bimigroup.org/bimi-generator/
> > [https://www.bimigroup.org/bimi-generator/]
> > 
> > Our logo is shown near the end of the report, and for ours there's
> > an indication that we comply, but there's also this warning:
> > 
> > "Note: While your BIMI record is compliant, it doesn't include a
> > Verified Mark Certificate that may be required by some mailbox
> > providers."
> > 
> > What's missing from BIMI in its current form? The option for mail
> > server oparators to use the same TLS certificates that we're already
> > using for our mail servers (and web servers, and FTP servers, etc.).
> > 
> > It makes less sense to me to involve a different CA just for one
> > tiny little image because then that's more technology that has to be
> > administered, managed, troubleshooted, implemented, etc., and paid
> > for separately. For eMail systems that host mlutiple domains and
> > clients, BIMI is not an attractive option in its current state.
> > 
> > If BIMI is to be taken as an open standard, then it needs to embrace
> > openness so that the TLS certificates issued by all CAs (including
> > commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI
> > gaining wider adoption.
> > 
> > The "must be a Registered Trademark" requirement is too expensive
> > for a lot of small businesses. A copyrighted logo is already
> > sufficient to provide legal protections in many scenarios (depending
> > on jurisdiction, etc.), so the bar is too high as it is -- DMCA
> > violation notices should be taken seriously regardless of whether the
> > intellectual property (such as an organization's logo) is protected
> > under copyright, servicemark, or trademark property mechanisms.
> > 
> > Another problem with limiting the scope of intellectual property
> > protection to a Registered Trademark is that trademark applications
> > can also be rejected even though a logo is already copyrighted, and
> > the reasons can vary based on a variety of factors, including
> > different jurisdictional regulations, local and/or national laws that
> > limit free expression, cultural sensitivity policies, delays due to
> > fraudulent disputes submitted by intellectual property trolls, etc.
> > 
> > Also: How does BIMI intend to resolve valid Registered Trademarks
> > from two different countires that look almost the same? Is there a
> > mechanism that will only allow BIMI logos to be displayed in cerrtain
> > countries where said Registered Trademark is protected? Will there
> > be enforcement to make sure all vendors adhere to implementing BIMI
> > correctly in this manner? Or, if a Registered Trademark is only
> > registered in one country, will vendors still be able to display it
> > in other countries? Or will the source be the determining factor (in
> > which 

Re: [mailop] BIMI boycott?

[Randolf Richardson, Postmaster via mailop]

> > Simply, nobody needs this.
> 
> I've been building an email client and actually do fetch avatars and logos to 
> be
> displayed next to emails. I find it helps me visually identify emails easier,
> it's a lot less taxing on the brain than reading sender names or addresses. Of
> course in my case I'm also scraping gravatar and favicons, so it doesn't have
> much to do with BIMI.

I find that helpful too.

Will your eMail client have a free edition option?  If so, please do 
share a link to it here (or eMail me directly) because I'd be happy 
to consider including it in the list of eMail client software options 
that we provide to our users (and also include it in the "Resources" 
section of the Canadian Lumber Cartel web site).

(On PCs, most of our users are either using OutLook, Thunderbird, or 
our webmail option.  A few are using other software, including 
Sylpheed, Pegasus Mail, and some others I don't recall the names of.)

> Just wanted to add that I actually like it for visual clarity. Though I would
> have liked a more general avatar implementation not geared towards businesses.

If you support BIMI with and without the "a=" parameter containing a 
certificate, that would be fantastic.  (You could always indicate 
with a golden lock in the corner of BIMI logos when they do have 
valid certificates specified with the "a=" parameter.)

> Groetjes,
> Louis
> 
> 
> Op woensdag 10 januari 2024 om 18:18, schreef Jaroslaw Rafa via mailop
> :
> 
> > Dnia 10.01.2024 o godz. 11:32:36 Seth Blank via mailop pisze:
> > > The hope is that as BIMI gets more widely adopted, the cost (and
> > > automation) of the logo validation drops. Time will tell.
> > >
> > > Of course, for broader adoption, we also need to progress beyond
> > > trademarks, which have their own cost and timeliness issues. The working
> > > group is leaning heavily into this, as its our top priority to make BIMI
> > > more broadly accessible.
> > >
> > > This covers our technical intent:
> > > https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> > [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00] and
> > 
> > The document fails to convincingly answer THE one basic question:
> > 
> > WHY in the hell is such a strange feature needed at all and for whom?
> > 
> > As the OP has written, the only ones that may be interested in this may be
> > marketers. Nobody else needs any logos, avatars etc. displayed alongside the
> > email headers. There is a reason why the early attempt at this - I'm talking
> > about the X-Face header, which you even refer to in this document - never
> > gained any popularity. Simply, nobody needs this. The fact that Gmail
> > implemented in its web client putting up some images alongside email headers
> > (which, by the way, show anything non-default only if the sender is another
> > Gmail user and has a profile picture defined in his/her account) shouldn't
> > be any reference nor guide for designing email applications at all. NOBODY
> > NEEDS THESE IMAGES.
> > 
> > Also, I see no feasible way - neither now nor in the future - to use it any
> > meaningful way in person-to-person communication, which is the topic OP
> > asked about, and you seem to have ignored it completely in your answer. The
> > document you are linking to isn't even trying to address this use case! It
> > speaks all the time about "organizations" or "brands" and their logotypes,
> > like companies or organizations were the only senders of emails. Or maybe
> > this is the actual intent? To make individual people only reicipents of
> > emails, without the ability to send?
> > 
> > In section 3.3 you even predict that BIMI is about to go the same path DMARC
> > went - "DMARC started with limited use to protect heavily phished domains",
> > and now we have arrived to the point when you almost can't send mail to any
> > big mail provider without having DMARC properly set up. You predict that
> > likely the same will happen for BIMI, which means, you won't be able to send
> > mail to any of the "big players" if you don't have BIMI set up. Which *will*
> > cost money - you are also clear about it. Is the goal to make email a closed
> > ecosystem in which only the big players can participate?
> > 
> > This was a bad idea from the beginning (I would even say, a crazy idea) and
> > will still be a bad idea no matter how much work and effort you put into it.
> > So maybe it's better not to waste that effort at all and direct it towards
> > something actually useful.
> > --
> > Regards,
> > Jaroslaw Rafa
> > r...@rafa.eu.org [r...@rafa.eu.org]
> > --
> > "In a million years, when kids go to school, they're gonna know: once there
> > was a Hushpuppy, and she lived with her daddy in the Bathtub."
> > ___
> > mailop mailing list
> > mailop@mailop.org [mailop@mailop.org]
> > https://list.mailop.org/listinfo/mailop
> > [https://list.mailop.org/listinfo/mailop]

Re: [mailop] BIMI boycott?

[John Levine via mailop]

It appears that Andrew C Aitchison via mailop  said:
>X-Face was too far ahead of its time. Enough of the market did not have
>the bandwidth to make it practical, and digitisers/cameras were not 
>readily available.

It was, and it also predated phishing. All of the complication of BIMI
comes from trying to ensure that people only show logos they're
entitled to use.

While it would be nice to make BIMI available to small organizations
without costing a lot of money, the question "is entity A allowed to
show logo X" is very hard even for people, and not amenable to
authomation. In a few cases where the entity has already paid to put
the logo in a trademark database it's easier but that sure doesn't
scale.

There are some extremely complicated cases. For example, there are two
unrelated companies called Merck, one in the U.S. and one in Germany.
(The U.S. one started from confiscated assets of the German one after
WW I.) They have the same name, somewhat similar products, and good
luck getting a straight answer to which one is allowed to display
MERCK where.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Opti Pub via mailop]

+1

On Wed, Jan 10, 2024 at 6:14 PM Louis Laureys via mailop 
wrote:

> We decided to keep this because I read that some webmail clients are
> planning to support BIMI without checking for certificates, or,
> perhaps, also displaying a little lock icon in the corner of the
> sender's BIMI-style logo image where certification is verified.
>
> This is exactly what I have in mind for my client, thanks for publishing
> your logo in an easily accessible and standard way :)
>
> Groetjes,
> Louis
>
>
> Op woensdag 10 januari 2024 om 21:58, schreef Randolf Richardson,
> Postmaster via mailop :
>
> We looked into it and publish our own default BIMI record even
> though we didn't pay the enormous amount money required to one of two
> Certificate Authorities.
>
> If anyone is curious to see what the record looks, use this command:
>
> dig txt default._bimi.inter-corporate.com
>
> The results should include:
>
> ;; ANSWER SECTION:
> default._bimi.inter-corporate.com. 3600 IN TXT
> "v=BIMI1; l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg;
> a=;"
>
> It basically just links to an SVG version of the logo from our main
> web site (which is also in the same DNS zone).
>
> Note: The "a=" portion normally includes a URI to what's called the
> "VMC/Assertion record" in the form of a typical .pem file. Ours is
> blank because we don't have the needed file for this.
>
> We decided to keep this because I read that some webmail clients are
> planning to support BIMI without checking for certificates, or,
> perhaps, also displaying a little lock icon in the corner of the
> sender's BIMI-style logo image where certification is verified.
>
> The BIMI Group provides an online checking tool that displays our
> logo (just search for "inter-corporate.com" to see ours):
>
> BIMI LookUp & Generator :: Check compliance w/ BIMI standards
> https://www.bimigroup.org/bimi-generator/
>
> Our logo is shown near the end of the report, and for ours there's
> an indication that we comply, but there's also this warning:
>
> "Note: While your BIMI record is compliant, it doesn't include a
> Verified Mark Certificate that may be required by some mailbox
> providers."
>
> What's missing from BIMI in its current form? The option for mail
> server oparators to use the same TLS certificates that we're already
> using for our mail servers (and web servers, and FTP servers, etc.).
>
> It makes less sense to me to involve a different CA just for one
> tiny little image because then that's more technology that has to be
> administered, managed, troubleshooted, implemented, etc., and paid
> for separately. For eMail systems that host mlutiple domains and
> clients, BIMI is not an attractive option in its current state.
>
> If BIMI is to be taken as an open standard, then it needs to embrace
> openness so that the TLS certificates issued by all CAs (including
> commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI
> gaining wider adoption.
>
> The "must be a Registered Trademark" requirement is too expensive
> for a lot of small businesses. A copyrighted logo is already
> sufficient to provide legal protections in many scenarios (depending
> on jurisdiction, etc.), so the bar is too high as it is -- DMCA
> violation notices should be taken seriously regardless of whether the
> intellectual property (such as an organization's logo) is protected
> under copyright, servicemark, or trademark property mechanisms.
>
> Another problem with limiting the scope of intellectual property
> protection to a Registered Trademark is that trademark applications
> can also be rejected even though a logo is already copyrighted, and
> the reasons can vary based on a variety of factors, including
> different jurisdictional regulations, local and/or national laws that
> limit free expression, cultural sensitivity policies, delays due to
> fraudulent disputes submitted by intellectual property trolls, etc.
>
> Also: How does BIMI intend to resolve valid Registered Trademarks
> from two different countires that look almost the same? Is there a
> mechanism that will only allow BIMI logos to be displayed in cerrtain
> countries where said Registered Trademark is protected? Will there
> be enforcement to make sure all vendors adhere to implementing BIMI
> correctly in this manner? Or, if a Registered Trademark is only
> registered in one country, will vendors still be able to display it
> in other countries? Or will the source be the determining factor (in
> which case, what reliable solution does BIMI propose for a company
> using service provider in some other country to deliver their eMail)?
>
> Keeping things simpler, open, and lowering the bar to be more
> inclusive are, in my opinion, some of the more important factors in
> BIMI's future success. Otherwise, it just looks like an attempt to
> make money (which is how at least some people who've looked into it
> seem to perceive it at present).
>
> (If BIMI doesn't lower the bar, then perhaps someone 

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Louis Laureys via mailop]

> We decided to keep this because I read that some webmail clients are
> planning to support BIMI without checking for certificates, or,
> perhaps, also displaying a little lock icon in the corner of the
> sender's BIMI-style logo image where certification is verified.

This is exactly what I have in mind for my client, thanks for publishing your
logo in an easily accessible and standard way :)

Groetjes,
Louis


Op woensdag 10 januari 2024 om 21:58, schreef Randolf Richardson, Postmaster via
mailop :

> We looked into it and publish our own default BIMI record even
> though we didn't pay the enormous amount money required to one of two
> Certificate Authorities.
> 
> If anyone is curious to see what the record looks, use this command:
> 
> dig txt default._bimi.inter-corporate.com
> 
> The results should include:
> 
> ;; ANSWER SECTION:
> default._bimi.inter-corporate.com. 3600 IN TXT
> "v=BIMI1; l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg
> [https://www.inter-corporate.com/images/logo60bimi-iccns.svg]; a=;"
> 
> It basically just links to an SVG version of the logo from our main
> web site (which is also in the same DNS zone).
> 
> Note: The "a=" portion normally includes a URI to what's called the
> "VMC/Assertion record" in the form of a typical .pem file. Ours is
> blank because we don't have the needed file for this.
> 
> We decided to keep this because I read that some webmail clients are
> planning to support BIMI without checking for certificates, or,
> perhaps, also displaying a little lock icon in the corner of the
> sender's BIMI-style logo image where certification is verified.
> 
> The BIMI Group provides an online checking tool that displays our
> logo (just search for "inter-corporate.com" to see ours):
> 
> BIMI LookUp & Generator :: Check compliance w/ BIMI standards
> https://www.bimigroup.org/bimi-generator/
> [https://www.bimigroup.org/bimi-generator/]
> 
> Our logo is shown near the end of the report, and for ours there's
> an indication that we comply, but there's also this warning:
> 
> "Note: While your BIMI record is compliant, it doesn't include a
> Verified Mark Certificate that may be required by some mailbox
> providers."
> 
> What's missing from BIMI in its current form? The option for mail
> server oparators to use the same TLS certificates that we're already
> using for our mail servers (and web servers, and FTP servers, etc.).
> 
> It makes less sense to me to involve a different CA just for one
> tiny little image because then that's more technology that has to be
> administered, managed, troubleshooted, implemented, etc., and paid
> for separately. For eMail systems that host mlutiple domains and
> clients, BIMI is not an attractive option in its current state.
> 
> If BIMI is to be taken as an open standard, then it needs to embrace
> openness so that the TLS certificates issued by all CAs (including
> commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI
> gaining wider adoption.
> 
> The "must be a Registered Trademark" requirement is too expensive
> for a lot of small businesses. A copyrighted logo is already
> sufficient to provide legal protections in many scenarios (depending
> on jurisdiction, etc.), so the bar is too high as it is -- DMCA
> violation notices should be taken seriously regardless of whether the
> intellectual property (such as an organization's logo) is protected
> under copyright, servicemark, or trademark property mechanisms.
> 
> Another problem with limiting the scope of intellectual property
> protection to a Registered Trademark is that trademark applications
> can also be rejected even though a logo is already copyrighted, and
> the reasons can vary based on a variety of factors, including
> different jurisdictional regulations, local and/or national laws that
> limit free expression, cultural sensitivity policies, delays due to
> fraudulent disputes submitted by intellectual property trolls, etc.
> 
> Also: How does BIMI intend to resolve valid Registered Trademarks
> from two different countires that look almost the same? Is there a
> mechanism that will only allow BIMI logos to be displayed in cerrtain
> countries where said Registered Trademark is protected? Will there
> be enforcement to make sure all vendors adhere to implementing BIMI
> correctly in this manner? Or, if a Registered Trademark is only
> registered in one country, will vendors still be able to display it
> in other countries? Or will the source be the determining factor (in
> which case, what reliable solution does BIMI propose for a company
> using service provider in some other country to deliver their eMail)?
> 
> Keeping things simpler, open, and lowering the bar to be more
> inclusive are, in my opinion, some of the more important factors in
> BIMI's future success. Otherwise, it just looks like an attempt to
> make money (which is how at least some people who've looked into it
> seem to perceive it at present).
> 
> (If BIMI 

Re: [mailop] BIMI boycott?

[Louis Laureys via mailop]

> Simply, nobody needs this.

I've been building an email client and actually do fetch avatars and logos to be
displayed next to emails. I find it helps me visually identify emails easier,
it's a lot less taxing on the brain than reading sender names or addresses. Of
course in my case I'm also scraping gravatar and favicons, so it doesn't have
much to do with BIMI.

Just wanted to add that I actually like it for visual clarity. Though I would
have liked a more general avatar implementation not geared towards businesses.


Groetjes,
Louis


Op woensdag 10 januari 2024 om 18:18, schreef Jaroslaw Rafa via mailop
:

> Dnia 10.01.2024 o godz. 11:32:36 Seth Blank via mailop pisze:
> > The hope is that as BIMI gets more widely adopted, the cost (and
> > automation) of the logo validation drops. Time will tell.
> >
> > Of course, for broader adoption, we also need to progress beyond
> > trademarks, which have their own cost and timeliness issues. The working
> > group is leaning heavily into this, as its our top priority to make BIMI
> > more broadly accessible.
> >
> > This covers our technical intent:
> > https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00
> [https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00] and
> 
> The document fails to convincingly answer THE one basic question:
> 
> WHY in the hell is such a strange feature needed at all and for whom?
> 
> As the OP has written, the only ones that may be interested in this may be
> marketers. Nobody else needs any logos, avatars etc. displayed alongside the
> email headers. There is a reason why the early attempt at this - I'm talking
> about the X-Face header, which you even refer to in this document - never
> gained any popularity. Simply, nobody needs this. The fact that Gmail
> implemented in its web client putting up some images alongside email headers
> (which, by the way, show anything non-default only if the sender is another
> Gmail user and has a profile picture defined in his/her account) shouldn't
> be any reference nor guide for designing email applications at all. NOBODY
> NEEDS THESE IMAGES.
> 
> Also, I see no feasible way - neither now nor in the future - to use it any
> meaningful way in person-to-person communication, which is the topic OP
> asked about, and you seem to have ignored it completely in your answer. The
> document you are linking to isn't even trying to address this use case! It
> speaks all the time about "organizations" or "brands" and their logotypes,
> like companies or organizations were the only senders of emails. Or maybe
> this is the actual intent? To make individual people only reicipents of
> emails, without the ability to send?
> 
> In section 3.3 you even predict that BIMI is about to go the same path DMARC
> went - "DMARC started with limited use to protect heavily phished domains",
> and now we have arrived to the point when you almost can't send mail to any
> big mail provider without having DMARC properly set up. You predict that
> likely the same will happen for BIMI, which means, you won't be able to send
> mail to any of the "big players" if you don't have BIMI set up. Which *will*
> cost money - you are also clear about it. Is the goal to make email a closed
> ecosystem in which only the big players can participate?
> 
> This was a bad idea from the beginning (I would even say, a crazy idea) and
> will still be a bad idea no matter how much work and effort you put into it.
> So maybe it's better not to waste that effort at all and direct it towards
> something actually useful.
> --
> Regards,
> Jaroslaw Rafa
> r...@rafa.eu.org [r...@rafa.eu.org]
> --
> "In a million years, when kids go to school, they're gonna know: once there
> was a Hushpuppy, and she lived with her daddy in the Bathtub."
> ___
> mailop mailing list
> mailop@mailop.org [mailop@mailop.org]
> https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Brett Schenker via mailop]

Since DMARC is now required by Google and Yahoo for bulk sending, it kind
of makes BIMI not as needed. I'm still not sure what BIMI solves that
enforcing authentication doesn't.

On Wed, Jan 10, 2024 at 3:44 PM Gellner, Oliver via mailop <
mailop@mailop.org> wrote:

>
> > On 10.01.2024 at 17:21 Olga Fischer via mailop wrote:
> >
> > Many bigger mailers are blogging about BIMI.
> > As far as I see its exclusively for brands.
> > It has 2 big barriers for entry:
> > - Expensive bespoke cert oids
> > - Registered trademark logos
> >
> > As from my perspective of independent mailing between humans: I fear
> this might be not just a carrot for doing DMARC, but also making
> independent mailers less credible in the UX of mainstream mailer users.
>
> Carrot or not, BIMI can actually be a good incentive to increase the
> adoption of DMARC.
> For ESPs a widespread usage of DMARC is a welcome addition to their
> filtering process, as it makes the impersonation of foreign domains more
> difficult. At the same time setting up DMARC on the sender side can be a
> lot of work, especially for large enterprises, which have hundreds of
> sources where emails are being generated or sent. Finding and adding proper
> authentication to all of them before being able to enable a DMARC reject
> policy requires a non-negligible amount of resources. If you can present a
> direct and clear benefit in return („our logo is going to be displayed next
> to our messages“), the management might be more willing to grant approval
> for it.
>
> I don’t see the fact that BIMI is currently not available to single users
> as a real problem, as their identity is usually not used in phishing
> campaigns anyway. Nobody sends phishing messages that try to impersonate
> Bob the builder.
> Neither SPF, nor DKIM nor DMARC are suitable to identify single users, so
> BIMI which builds upon them cannot magically add this feature. If you want
> to authenticate single users there’s S/MIME.
>
> > Do you have input on how non-marketing mailers deal with this?
> > Because obviously its for brand-logos, as in marketing mails. Not for
> user 2 user.
>
> Not at all. BIMI is about DMARC authenticated emails. Their content
> doesn’t matter. If I‘d send you a personal email off-list and you use a MUA
> that supports BIMI a logo will be displayed next to it.
>
> > Its also may be yet another reader-engagement tracker. Why do those
> things always have to be out of band.
>
> Well, there’s no automated way to connect a logo to a domain. The BIMI
> group has decided to build upon the work of trademark offices to connect
> logos to companies and then set up a manual verification process to connect
> the company to a domain. There might be other ways to do this, but you
> cannot just use DNS or a message header to link a logo to a domain as this
> would be trivial to exploit.
>
> Either way, BIMI is not suitable for reader tracking as you cannot provide
> different logo URIs for each recipient.
>
> —
> BR Oliver
>
> 
>
> dmTECH GmbH
> Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
> Telefon 0721 5592-2500 Telefax 0721 5592-2777
> dmt...@dm.de * www.dmTECH.de
> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
> Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher
> 
> Datenschutzrechtliche Informationen
> Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser
> ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in
> Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder
> sich bei uns bewerben, verarbeiten wir personenbezogene Daten.
> Informationen unter anderem zu den konkreten Datenverarbeitungen,
> Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer
> Datenschutzbeauftragten finden Sie hier<
> https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832
> >.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>


-- 
Brett Schenker
Man of Many Things, Including
5B Consulting - http://www.5bconsulting.com
Graphic Policy - http://www.graphicpolicy.com

Twitter - http://twitter.com/bhschenker
LinkedIn - http://www.linkedin.com/in/brettschenker
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott? Lookup tool, why we publish BIMI anyway, and intellectual property law considerations

[Randolf Richardson, Postmaster via mailop]

We looked into it and publish our own default BIMI record even 
though we didn't pay the enormous amount money required to one of two 
Certificate Authorities.

If anyone is curious to see what the record looks, use this command:

dig txt default._bimi.inter-corporate.com

The results should include:

;; ANSWER SECTION:
default._bimi.inter-corporate.com. 3600 IN TXT
"v=BIMI1; 
l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg; a=;"

It basically just links to an SVG version of the logo from our main 
web site (which is also in the same DNS zone).

Note:  The "a=" portion normally includes a URI to what's called the 
"VMC/Assertion record" in the form of a typical .pem file.  Ours is 
blank because we don't have the needed file for this.

We decided to keep this because I read that some webmail clients are 
planning to support BIMI without checking for certificates, or, 
perhaps, also displaying a little lock icon in the corner of the 
sender's BIMI-style logo image where certification is verified.

The BIMI Group provides an online checking tool that displays our 
logo (just search for "inter-corporate.com" to see ours):

BIMI LookUp & Generator :: Check compliance w/ BIMI standards
https://www.bimigroup.org/bimi-generator/

Our logo is shown near the end of the report, and for ours there's 
an indication that we comply, but there's also this warning:

"Note: While your BIMI record is compliant, it doesn't include 
a 
Verified Mark Certificate that may be required by some mailbox 
providers."

What's missing from BIMI in its current form?  The option for mail 
server oparators to use the same TLS certificates that we're already 
using for our mail servers (and web servers, and FTP servers, etc.).

It makes less sense to me to involve a different CA just for one 
tiny little image because then that's more technology that has to be 
administered, managed, troubleshooted, implemented, etc., and paid 
for separately.  For eMail systems that host mlutiple domains and 
clients, BIMI is not an attractive option in its current state.

If BIMI is to be taken as an open standard, then it needs to embrace 
openness so that the TLS certificates issued by all CAs (including 
commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI 
gaining wider adoption.

The "must be a Registered Trademark" requirement is too expensive 
for a lot of small businesses.  A copyrighted logo is already 
sufficient to provide legal protections in many scenarios (depending 
on jurisdiction, etc.), so the bar is too high as it is -- DMCA 
violation notices should be taken seriously regardless of whether the 
intellectual property (such as an organization's logo) is protected 
under copyright, servicemark, or trademark property mechanisms.

Another problem with limiting the scope of intellectual property 
protection to a Registered Trademark is that trademark applications 
can also be rejected even though a logo is already copyrighted, and 
the reasons can vary based on a variety of factors, including 
different jurisdictional regulations, local and/or national laws that 
limit free expression, cultural sensitivity policies, delays due to 
fraudulent disputes submitted by intellectual property trolls, etc.

Also:  How does BIMI intend to resolve valid Registered Trademarks 
from two different countires that look almost the same?  Is there a 
mechanism that will only allow BIMI logos to be displayed in cerrtain 
countries where said Registered Trademark is protected?  Will there 
be enforcement to make sure all vendors adhere to implementing BIMI 
correctly in this manner?  Or, if a Registered Trademark is only 
registered in one country, will vendors still be able to display it 
in other countries?  Or will the source be the determining factor (in 
which case, what reliable solution does BIMI propose for a company 
using service provider in some other country to deliver their eMail)?

Keeping things simpler, open, and lowering the bar to be more 
inclusive are, in my opinion, some of the more important factors in 
BIMI's future success.  Otherwise, it just looks like an attempt to 
make money (which is how at least some people who've looked into it 
seem to perceive it at present).

(If BIMI doesn't lower the bar, then perhaps someone will be 
motivated to create an alternative standard that is simpler, open, 
and more inclusive.)

> Hi mailops,
> 
> I am new here because I want to collect some opinion.
> 
> Many bigger mailers are blogging about BIMI.
> As far as I see its exclusively for brands.
> It has 2 big barriers for entry:
> - Expensive bespoke cert oids
> - Registered trademark logos
> 
> As from my perspective of independent mailing between humans: I fear this 
> might 

Re: [mailop] BIMI boycott?

[Gellner, Oliver via mailop]

> On 10.01.2024 at 17:21 Olga Fischer via mailop wrote:
>
> Many bigger mailers are blogging about BIMI.
> As far as I see its exclusively for brands.
> It has 2 big barriers for entry:
> - Expensive bespoke cert oids
> - Registered trademark logos
>
> As from my perspective of independent mailing between humans: I fear this 
> might be not just a carrot for doing DMARC, but also making independent 
> mailers less credible in the UX of mainstream mailer users.

Carrot or not, BIMI can actually be a good incentive to increase the adoption 
of DMARC.
For ESPs a widespread usage of DMARC is a welcome addition to their filtering 
process, as it makes the impersonation of foreign domains more difficult. At 
the same time setting up DMARC on the sender side can be a lot of work, 
especially for large enterprises, which have hundreds of sources where emails 
are being generated or sent. Finding and adding proper authentication to all of 
them before being able to enable a DMARC reject policy requires a 
non-negligible amount of resources. If you can present a direct and clear 
benefit in return („our logo is going to be displayed next to our messages“), 
the management might be more willing to grant approval for it.

I don’t see the fact that BIMI is currently not available to single users as a 
real problem, as their identity is usually not used in phishing campaigns 
anyway. Nobody sends phishing messages that try to impersonate Bob the builder.
Neither SPF, nor DKIM nor DMARC are suitable to identify single users, so BIMI 
which builds upon them cannot magically add this feature. If you want to 
authenticate single users there’s S/MIME.

> Do you have input on how non-marketing mailers deal with this?
> Because obviously its for brand-logos, as in marketing mails. Not for user 2 
> user.

Not at all. BIMI is about DMARC authenticated emails. Their content doesn’t 
matter. If I‘d send you a personal email off-list and you use a MUA that 
supports BIMI a logo will be displayed next to it.

> Its also may be yet another reader-engagement tracker. Why do those things 
> always have to be out of band.

Well, there’s no automated way to connect a logo to a domain. The BIMI group 
has decided to build upon the work of trademark offices to connect logos to 
companies and then set up a manual verification process to connect the company 
to a domain. There might be other ways to do this, but you cannot just use DNS 
or a message header to link a logo to a domain as this would be trivial to 
exploit.

Either way, BIMI is not suitable for reader tracking as you cannot provide 
different logo URIs for each recipient.

—
BR Oliver



dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Andrew C Aitchison via mailop]

On Wed, 10 Jan 2024, Jaroslaw Rafa via mailop wrote:


As the OP has written, the only ones that may be interested in this may be
marketers. Nobody else needs any logos, avatars etc. displayed alongside the
email headers. There is a reason why the early attempt at this - I'm talking
about the X-Face header, which you even refer to in this document - never
gained any popularity. Simply, nobody needs this. The fact that Gmail
implemented in its web client putting up some images alongside email headers
(which, by the way, show anything non-default only if the sender is another
Gmail user and has a profile picture defined in his/her account) shouldn't
be any reference nor guide for designing email applications at all. NOBODY
NEEDS THESE IMAGES.


X-Face was too far ahead of its time. Enough of the market did not have
the bandwidth to make it practical, and digitisers/cameras were not 
readily available.


Today many discussion sites do have avatars. When I look at the discussion
of a bug on github, they do help me to see who made which comment.
key-phrases: visual meta-data, clues to context.

*I* would be interested in avatars with emails, if they didn't have lots 
of costs that far exceed those of the message itself.


--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Andrew C Aitchison via mailop]

On Wed, 10 Jan 2024, Olga Fischer via mailop wrote:


Hi mailops,

I am new here because I want to collect some opinion.

Many bigger mailers are blogging about BIMI.
As far as I see its exclusively for brands.
It has 2 big barriers for entry:
- Expensive bespoke cert oids
- Registered trademark logos

As from my perspective of independent mailing between humans: I fear this might 
be not just a carrot for doing DMARC, but also making independent mailers less 
credible in the UX of mainstream mailer users.

Do you have input on how non-marketing mailers deal with this?
Because obviously its for brand-logos, as in marketing mails. Not for user 2 
user.
How will common platforms show user2user?
Will they use platform logos? No logos?

It seems infeasible to do the logo-ing per user.

Can we influence the mailing world to use the standard differently?
Like accepting BIMI logos only depending on valid bog standard cert and DMARC, 
boycotting the moneygrab scheme?

Its also may be yet another reader-engagement tracker. Why do those things 
always have to be out of band.

I wish y'all a happy new year and good mailing weathers!

Olga


I am also interested in user 2 user email and have little interest in BIMI.

My biggest problem is that showing or not showing a logo signals
one bit of information, but even if the technology is perfect,
there are three possibilities that need to be shoe-horned into it,
otherwise someone will be upset.
If a web-mail or MUA displays the logo, does that indicate that it verified
that the sender was entitled to use the logo, or that it failed to confirm
that the sender was not entitled to use the logo ?
It could signal the middle, "I don't know", case by displaying the logo
in monochrome ... except that some logos are monochrome, some people are 
colour-blind, ...


I am confident that displaying a logo will be taken as making a promise 
that cannot be kept.


My other concerns include:

My phone screen has a couple of million pixels, but not enough square inches
for me to comfortably read an email.
Taking space for the logo will make it even harder to read the message
- unless BIMI saves organisations from putting the logo in the HTML version 
of the email (which would have some value).


As a user of Alpine, a text-base mail reader, I will never see the "logo"
without taking extra effort.

I fear that some mailbox operators will make assumptions about what is
valid that are subtlety different from each other or from reality, so
it may require unreasonable effort to make an email satisfy both the
mailbox operators and best practice (just as we have two sender
addresses that may or may not appear when a message is listed or
displayed, so we now have SPF and DKIM verifying different things).

At the same time I fear that there will be short-cuts that allow phishers 
to fake the logo on enough mailbox services to be profitable.


I have just read the bug for BIMI to be added to Thunderbird
  https://bugzilla.mozilla.org/show_bug.cgi?id=1670078
Some people there are advocating that Thunderbird should display the logo
even if no Visual Mark Certificate can be verified.
If that is a common view amongst those who provide MUAs and web-mailers,
users will rightly be confused over whether the logo means anything.

Even ignoring the matter of fees, the ability of the marketing
department to get the branding into everyone's email will be somewhat
independent of the ability of the technical team to correctly do
everything else to make email secure and trustworthy.
I believe this even though one of the aims of BIMI is to encourage
correct use of SPF/DKIM/DMARC.

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Jaroslaw Rafa via mailop]

Dnia 10.01.2024 o godz. 11:32:36 Seth Blank via mailop pisze:
> The hope is that as BIMI gets more widely adopted, the cost (and
> automation) of the logo validation drops. Time will tell.
> 
> Of course, for broader adoption, we also need to progress beyond
> trademarks, which have their own cost and timeliness issues. The working
> group is leaning heavily into this, as its our top priority to make BIMI
> more broadly accessible.
> 
> This covers our technical intent:
> https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00 and

The document fails to convincingly answer THE one basic question:

WHY in the hell is such a strange feature needed at all and for whom?

As the OP has written, the only ones that may be interested in this may be
marketers. Nobody else needs any logos, avatars etc. displayed alongside the
email headers. There is a reason why the early attempt at this - I'm talking
about the X-Face header, which you even refer to in this document - never
gained any popularity. Simply, nobody needs this. The fact that Gmail
implemented in its web client putting up some images alongside email headers
(which, by the way, show anything non-default only if the sender is another
Gmail user and has a profile picture defined in his/her account) shouldn't
be any reference nor guide for designing email applications at all. NOBODY
NEEDS THESE IMAGES.

Also, I see no feasible way - neither now nor in the future - to use it any
meaningful way in person-to-person communication, which is the topic OP
asked about, and you seem to have ignored it completely in your answer. The
document you are linking to isn't even trying to address this use case! It
speaks all the time about "organizations" or "brands" and their logotypes,
like companies or organizations were the only senders of emails. Or maybe
this is the actual intent? To make individual people only reicipents of
emails, without the ability to send?

In section 3.3 you even predict that BIMI is about to go the same path DMARC
went - "DMARC started with limited use to protect heavily phished domains",
and now we have arrived to the point when you almost can't send mail to any
big mail provider without having DMARC properly set up. You predict that
likely the same will happen for BIMI, which means, you won't be able to send
mail to any of the "big players" if you don't have BIMI set up. Which *will*
cost money - you are also clear about it. Is the goal to make email a closed
ecosystem in which only the big players can participate?

This was a bad idea from the beginning (I would even say, a crazy idea) and
will still be a bad idea no matter how much work and effort you put into it.
So maybe it's better not to waste that effort at all and direct it towards
something actually useful.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI boycott?

[Seth Blank via mailop]

It's not a money grabbing scheme. Validation of the logo requires human
effort today, so there's a real cost involved. It's also relatively new, so
at its most expensive.

The hope is that as BIMI gets more widely adopted, the cost (and
automation) of the logo validation drops. Time will tell.

Of course, for broader adoption, we also need to progress beyond
trademarks, which have their own cost and timeliness issues. The working
group is leaning heavily into this, as its our top priority to make BIMI
more broadly accessible.

This covers our technical intent:
https://datatracker.ietf.org/doc/html/draft-bkl-bimi-overview-00 and
there's also a lot of content on bimigroup.org.

Seth


On Wed, Jan 10, 2024 at 11:19 AM Olga Fischer via mailop 
wrote:

> Hi mailops,
>
> I am new here because I want to collect some opinion.
>
> Many bigger mailers are blogging about BIMI.
> As far as I see its exclusively for brands.
> It has 2 big barriers for entry:
> - Expensive bespoke cert oids
> - Registered trademark logos
>
> As from my perspective of independent mailing between humans: I fear this
> might be not just a carrot for doing DMARC, but also making independent
> mailers less credible in the UX of mainstream mailer users.
>
> Do you have input on how non-marketing mailers deal with this?
> Because obviously its for brand-logos, as in marketing mails. Not for user
> 2 user.
> How will common platforms show user2user?
> Will they use platform logos? No logos?
>
> It seems infeasible to do the logo-ing per user.
>
> Can we influence the mailing world to use the standard differently?
> Like accepting BIMI logos only depending on valid bog standard cert and
> DMARC, boycotting the moneygrab scheme?
>
> Its also may be yet another reader-engagement tracker. Why do those things
> always have to be out of band.
>
> I wish y'all a happy new year and good mailing weathers!
>
> Olga
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>


-- 

*Seth Blank * | Chief Technology Officer
*e:* s...@valimail.com
*p:*

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] BIMI boycott?

[Olga Fischer via mailop]

Hi mailops,

I am new here because I want to collect some opinion.

Many bigger mailers are blogging about BIMI.
As far as I see its exclusively for brands.
It has 2 big barriers for entry:
- Expensive bespoke cert oids
- Registered trademark logos

As from my perspective of independent mailing between humans: I fear this might 
be not just a carrot for doing DMARC, but also making independent mailers less 
credible in the UX of mainstream mailer users.

Do you have input on how non-marketing mailers deal with this?
Because obviously its for brand-logos, as in marketing mails. Not for user 2 
user.
How will common platforms show user2user?
Will they use platform logos? No logos?

It seems infeasible to do the logo-ing per user.

Can we influence the mailing world to use the standard differently?
Like accepting BIMI logos only depending on valid bog standard cert and DMARC, 
boycotting the moneygrab scheme?

Its also may be yet another reader-engagement tracker. Why do those things 
always have to be out of band.

I wish y'all a happy new year and good mailing weathers!

Olga
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop