VMG (Yahoo/Aol) uses their own matching table (domain <=> brand <=> logo), mixed with reputation (you proved you're good, then we can display the logo). In other words, they don't display the logo for just any BIMI record. As Marcel said, the main challenge is scalability as it requires manual tweaking.
Gmail's approach is, as often/always, to only implement if it's scalable/automatic, and that means relying on CA, themselves relying on trademarks of logos, to avoid having someone abusing someone else's logo. The whole process is yet TBD, folks will be busy during this pilot phase =) Both approaches are valid, and there might be other options. In any case, the logo abuse point is a long-time concern and was one of the reason why BIMI stalled for some times a few years ago. But yes, it's up to the MUA to make sure logos can't be abused, like it's up to the MUA to display friendly From: instead of visible From:'s email address even if the friendly From: looks like an email address (yet Outlook, I'm looking at you). It's easier if the MUA and the mail server are both managed by the same entity. > As a small mail server administrator this raises a lot of questions about > actual implentation and what tools are available to implement this standard. You might need to define a new approach for it if it doesn't exist yet. Or wait for someone else to do it. Also, as a small server administrator, you probably don't develop your own webmail/MUA, so probably the challenge would be to work with webmail's developers (it's been a long time since I touched that part so the only name that comes to me is roundcube, but I guess there are others) on the implementation. -- Benjamin -----Original Message----- From: mailop <mailop-boun...@mailop.org> On Behalf Of Ted Hatfield via mailop Sent: jeudi 23 juillet 2020 04:23 To: Matt Corallo <mail...@as397444.net> Cc: mailop <mailop@mailop.org>; Marcel Becker <marcel.bec...@verizonmedia.com> Subject: Re: [mailop] BIMI pilot @ Google Further down in one of the faq's on the bimigroup website is a link to an IETF document. draft-brotman-ietf-bimi-guidance-01 https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-01 It has information on the actual recommended implementation of BIMI including more information about BIMI Certificates. It appears that to reach wide spread adoption of this protocol we're going to be creating a new kind of certificate authority that is specific to trademarked images and logos. All so we can certify that the logo passes BIMI verification. Read section 6.4. Basic flow example. If the bimi verification passes, o The email receiver then sets either the appropriate IMAP flags, or other mailstore flag, or other message property that signals to a downstream email client that the message passed BIMI and is safe to load the logo, along with a pointer to the logo (e.g., to the https location specified in the BIMI record). o What eventually happens is the email client then looks at the flags set by the email receiver (MTA). If the flags are set to show a BIMI logo, then the email client downloads the image and displays it in the sender photo (or however else it chooses to render the BIMI logo in conjunction with the message). As a small mail server administrator this raises a lot of questions about actual implentation and what tools are available to implement this standard. Ted On Wed, 22 Jul 2020, Matt Corallo via mailop wrote: > The standard appears to provide no protection whatsoever, but the specific > implementation announced by Google relies on > CAs to "authenticate" the domains' logo. Seems like there should be a > standard for that, too. > > Matt > > On 7/22/20 9:17 PM, Ted Hatfield via mailop wrote: >> >> >> On Wed, 22 Jul 2020, Marcel Becker via mailop wrote: >>> On Wed, Jul 22, 2020 at 5:27 PM Ted Hatfield <t...@io-tx.com> wrote: >>> >>> Maybe this is a stupid question but >>> >>> >>> Excuse me, but: Re-read the Google announcement and https://bimigroup.org >>> ;-) >>> >>> >>> >>> >>> >>> >> >> >> I read the page at https://bimigroup.org/ >> >> The first statement to come up is: >> >> >> What is BIMI? >> >> Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) >> is an emerging email specification that enables the use of brand-controlled >> logos within supporting email clients. BIMI >> leverages the >> work an organization has put into deploying DMARC protection, by bringing >> brand logos to the customers inbox. For the brands logo to be displayed, >> the email must pass DMARC authentication checks, ensuring that the >> organizations domain has not been impersonated. >> >> >> How does enabling bimi keep someone from publishing their own dmarc, spf, >> and dkim records and still impersonating your >> brand image? >> >> Isn't it just a little disingenuous to promote this as a anti-phishing >> scheme when all it does it add brand and logo >> marketing to a person's email. >> >> >> Ted >> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >> >> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >> > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
