Further down in one of the faq's on the bimigroup website is a link to an
IETF document. draft-brotman-ietf-bimi-guidance-01
https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-01
It has information on the actual recommended implementation of BIMI
including more information about BIMI Certificates.
It appears that to reach wide spread adoption of this protocol we're going
to be creating a new kind of certificate authority that is specific to
trademarked images and logos. All so we can certify that the logo passes
BIMI verification.
Read section 6.4. Basic flow example.
If the bimi verification passes,
o The email receiver then sets either the appropriate IMAP flags, or
other mailstore flag, or other message property that signals to a
downstream email client that the message passed BIMI and is safe
to load the logo, along with a pointer to the logo (e.g., to the
https location specified in the BIMI record).
o What eventually happens is the email client then looks at the
flags set by the email receiver (MTA). If the flags are set to
show a BIMI logo, then the email client downloads the image and
displays it in the sender photo (or however else it chooses to
render the BIMI logo in conjunction with the message).
As a small mail server administrator this raises a lot of questions about
actual implentation and what tools are available to implement this
standard.
Ted
On Wed, 22 Jul 2020, Matt Corallo via mailop wrote:
The standard appears to provide no protection whatsoever, but the specific
implementation announced by Google relies on
CAs to "authenticate" the domains' logo. Seems like there should be a standard
for that, too.
Matt
On 7/22/20 9:17 PM, Ted Hatfield via mailop wrote:
On Wed, 22 Jul 2020, Marcel Becker via mailop wrote:
On Wed, Jul 22, 2020 at 5:27 PM Ted Hatfield <t...@io-tx.com> wrote:
Maybe this is a stupid question but
Excuse me, but: Re-read the Google announcement and https://bimigroup.org ;-)
I read the page at https://bimigroup.org/
The first statement to come up is:
What is BIMI?
Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee)
is an emerging email specification that enables the use of brand-controlled
logos within supporting email clients. BIMI
leverages the
work an organization has put into deploying DMARC protection, by bringing
brand logos to the customers inbox. For the brands logo to be displayed,
the email must pass DMARC authentication checks, ensuring that the
organizations domain has not been impersonated.
How does enabling bimi keep someone from publishing their own dmarc, spf, and
dkim records and still impersonating your
brand image?
Isn't it just a little disingenuous to promote this as a anti-phishing scheme
when all it does it add brand and logo
marketing to a person's email.
Ted
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
