Re: [mailop] BIMI pilot @ Google

John Levine wrote: In article <20200725194707.ga19...@rafa.eu.org> you write: My bank - as I have already mentioned in this thread - S/MIME signs the contents of their messages. ... Where do you live? I've never heard of a bank here in North America doing that. Here they barely undersstand SP

Re: [mailop] BIMI pilot @ Google

On 7/25/2020 2:41 PM, Robert L Mathews via mailop wrote: On 7/25/20 1:52 AM, Christian de Larrinaga via mailop wrote: My question is is it useful? Yes, absolutely. If it's a security-sensitive message, like one from my bank, it's useful for my mail client to show that it was really sent by (DK

Re: [mailop] BIMI pilot @ Google

Dnia 25.07.2020 o godz. 14:41:30 Robert L Mathews via mailop pisze: > A system that actually works probably requires neutral feedback for > known legitimate messages, and warnings for illegitimate messages, so > that it surprises people when a message supposedly from their bank has a > warning. If

Re: [mailop] BIMI pilot @ Google

Dnia 25.07.2020 o godz. 19:12:03 John Levine via mailop pisze: > In article <20200725194707.ga19...@rafa.eu.org> you write: > >My bank - as I have already mentioned in this thread - S/MIME signs the > >contents of their messages. ... > > Where do you live? I've never heard of a bank here in North

Re: [mailop] BIMI pilot @ Google

In article <20200725194707.ga19...@rafa.eu.org> you write: >My bank - as I have already mentioned in this thread - S/MIME signs the >contents of their messages. ... Where do you live? I've never heard of a bank here in North America doing that. Here they barely undersstand SPF. R's, John _

Re: [mailop] BIMI pilot @ Google

Ramasubramanian Cc: mailop@mailop.org Subject: Re: [mailop] BIMI pilot @ Google On 7/25/2020 2:32 PM, Suresh Ramasubramanian via mailop wrote: > Oh, all I’m saying is that presenting the logo without a proper check or > after being fooled into a proper check would be a problem. And there’

Re: [mailop] BIMI pilot @ Google

On 7/25/2020 2:32 PM, Suresh Ramasubramanian via mailop wrote: Oh, all I’m saying is that presenting the logo without a proper check or after being fooled into a proper check would be a problem.  And there’d be some creative ways (css? logo included at random other places in the friendly from?

Re: [mailop] BIMI pilot @ Google

On 7/25/2020 2:06 PM, Jaroslaw Rafa via mailop wrote: Dnia 25.07.2020 o godz. 13:21:02 Dave Crocker via mailop pisze: DKIM is intended for use by receiving filtering engines, not end-user evaluation. Apparently you believe that displaying security-related information to end-users is helpful?

Re: [mailop] BIMI pilot @ Google

On 7/25/20 1:52 AM, Christian de Larrinaga via mailop wrote: > My question is is it useful? Yes, absolutely. If it's a security-sensitive message, like one from my bank, it's useful for my mail client to show that it was really sent by (DKIM signed by) them to increase my trust in it. My bank doe

Re: [mailop] BIMI pilot @ Google

From: mailop on behalf of Dave Crocker via mailop Sent: Saturday, July 25, 2020 11:32:46 PM To: mailop@mailop.org Subject: Re: [mailop] BIMI pilot @ Google On 7/22/2020 3:45 PM, Marcel Becker via mailop wrote: > However the majority of our users prefer meaning

Re: [mailop] BIMI pilot @ Google

Dnia 25.07.2020 o godz. 13:21:02 Dave Crocker via mailop pisze: > > DKIM is intended for use by receiving filtering engines, not > end-user evaluation. > > Apparently you believe that displaying security-related information > to end-users is helpful? It's not me who claimed here "if your bank se

Re: [mailop] BIMI pilot @ Google

On 7/25/2020 12:47 PM, Jaroslaw Rafa via mailop wrote: The fact that the message is signed is prominently displayed by two email clients I use while none of them cares about DKIM verification (besides mentioned Thunderbird plugin, I actually don't know of any mail client - not counting webmails l

Re: [mailop] BIMI pilot @ Google

Dnia 25.07.2020 o godz. 09:36:18 Suresh Ramasubramanian via mailop pisze: > > On the other hand if your bank sends you authenticated mail that your > server verifies you’re sure it is from their server and not from a hacked > machine emitting bank phish My bank - as I have already mentioned in th

Re: [mailop] BIMI pilot @ Google

On 7/22/2020 3:45 PM, Marcel Becker via mailop wrote: However the majority of our users prefer meaningful avatars and brand logos in their email experience as it helps them identify email senders and it helps with them with triaging. As others have noted, BIMI is a logo-display service, not a

Re: [mailop] BIMI pilot @ Google

From: mailop on behalf of Christian de Larrinaga via mailop Sent: Saturday, July 25, 2020 2:22:30 PM To: mailop@mailop.org Subject: Re: [mailop] BIMI pilot @ Google I am aware of DKIM and DMARC and SPF. You wil note this email address which I self host uses all three

Re: [mailop] BIMI pilot @ Google

I am aware of DKIM and DMARC and SPF. You wil note this email address which I self host uses all three. As  do all domains I run for email. My question is is it useful? - given so many lists even one dedicated to email management give "red" unsigned flags - that I get a ton of spam '/ phishi

Re: [mailop] BIMI pilot @ Google

On 7/24/20 2:51 AM, Christian de Larrinaga via mailop wrote: > All emails on this list are showing with red DKIM signed boxes That's because this list alters the message From header and body without re-signing it. (If the list re-signed outgoing Mailman messages with a "mailop.org" DKIM signature

Re: [mailop] BIMI pilot @ Google

In article <7ed4f483-3d83-e6aa-b6f6-07f6f283e...@lightmeter.io> you write: >This is the concerning part -- it seems that BIMI will disadvantage smaller / >independent mail networks by introducing a new barrier to having >their valid mail treated equally to their large corporate peers. Having talk

Re: [mailop] BIMI pilot @ Google

Hi, the whole VMC process is still being developed and tested (that's what the pilot is for). I'd say most of the BIMI group members if not all understand that the VMC needs to be affordable. BIMI has not been developed for the fortune 100 but for all brands. Jakub Olexa Founder & CEO E-mail: ja.

Re: [mailop] BIMI pilot @ Google

Le mer. 22 juil. 2020 à 14:50, Sidsel Jensen via mailop a écrit : > I read today at > https://cloud.google.com/blog/products/g-suite/gsuite-security-updates-for-gmail-meet-chat-and-admin > - that Google/Gmail is starting a BIMI pilot. > I hope Google will share the results of the pilot - perhaps

Re: [mailop] BIMI pilot @ Google

On 23/07/2020 23:21, Nick via mailop wrote: > On 2020-07-23 21:00 BST, Brandon Long via mailop wrote: >> If you had a workable idea for how to do this without a new authority >> and money changing hands, I'm sure everyone involved would love to >> hear about it> I'm not as sure as you are. To be p

Re: [mailop] BIMI pilot @ Google

> S/MIME offers more traditional digital signatures using CA signed > certificates. I would > not call that widely deployed, I certainly have never seen it from any > marketing/transactional > mail, maybe once or twice from a medical insurance company. Support in mail > clients is > fairly wid

Re: [mailop] BIMI pilot @ Google

On 23/07/2020 20:06, Andrew C Aitchison via mailop wrote: Are there that many IMAP based mail clients which feature contact avatars? Apparently there is a Thunderbird addon 'dkim verify' which uses the favicon of the signing domain: https://stackoverflow.com/questions/59465208/thunderbird-i

Re: [mailop] BIMI pilot @ Google

On Thu, Jul 23, 2020 at 12:56:37PM -0700, Brandon Long via mailop wrote: > On Thu, Jul 23, 2020 at 1:09 AM Nick via mailop wrote: > > On 2020-07-23 03:26 BST, Ted Hatfield via mailop wrote: > > > It appears that to reach wide spread adoption of this protocol we're > > > going to be creating a new

Re: [mailop] BIMI pilot @ Google

On Thu, Jul 23, 2020 at 2:24 PM Nick via mailop wrote: > On 2020-07-23 21:00 BST, Brandon Long via mailop wrote: > > If you had a workable idea for how to do this without a new authority > > and money changing hands, I'm sure everyone involved would love to > > hear about it. > > I'm not as sure

Re: [mailop] BIMI pilot @ Google

On 2020-07-23 21:00 BST, Brandon Long via mailop wrote: > If you had a workable idea for how to do this without a new authority > and money changing hands, I'm sure everyone involved would love to > hear about it. I'm not as sure as you are. To be part of BIMI is to be in a relatively exclusive c

Re: [mailop] BIMI pilot @ Google

On Thu, Jul 23, 2020 at 1:30 PM Jaroslaw Rafa via mailop wrote: > That's the real purpose of BIMI - > "even if recipient decides not to read our message, let's force him/her to > see our logo at least". It has nothing to do with protection against > anything. Of course it's your choice to ignor

Re: [mailop] BIMI pilot @ Google

Dnia 23.07.2020 o godz. 13:05:26 Brandon Long via mailop pisze: > I don't know whether you're talking about a real thing or not. > > DKIM is a digital signature of a message, and obviously broadly deployed, > but there > are no Certificate Authorities involved. Keys are self generated and > depen

Re: [mailop] BIMI pilot @ Google

I don't know whether you're talking about a real thing or not. DKIM is a digital signature of a message, and obviously broadly deployed, but there are no Certificate Authorities involved. Keys are self generated and depend on DNS ownership, no more. S/MIME offers more traditional digital signatu

Re: [mailop] BIMI pilot @ Google

On Thu, Jul 23, 2020 at 1:09 AM Nick via mailop wrote: > On 2020-07-23 03:26 BST, Ted Hatfield via mailop wrote: > > It appears that to reach wide spread adoption of this protocol we're > going > > to be creating a new kind of certificate authority that is specific to > > trademarked images and l

Re: [mailop] BIMI pilot @ Google

On Wed, 22 Jul 2020, Brandon Long via mailop wrote: An interesting question might be, how would you implement this for an MUA using IMAP without inbox style exposure... You'd probably have to do it through your contacts server, ie CardDav. Server side, you could collect all of the avatars and p

Re: [mailop] BIMI pilot @ Google

In article <20200723100713.ga2...@rafa.eu.org> you write: >All this BIMI thing seems to be only about increased pushing of big >companys' logos before people's eyes than to any fraud prevention. That's right. It seems basically harmless but I don't see any reason for anyone to care about it unles

Re: [mailop] BIMI pilot @ Google

All this BIMI thing seems to be only about increased pushing of big companys' logos before people's eyes than to any fraud prevention. If it were about fraud prevention, then instead of inventing something completely new, the companies could use solution that is standard, already available and wid

Re: [mailop] BIMI pilot @ Google

> Il 23/07/2020 03:24 Matt Corallo via mailop ha scritto: > > > The standard appears to provide no protection whatsoever, but the specific > implementation announced by Google relies on > CAs to "authenticate" the domains' logo. Seems like there should be a > standard for that, too. It's i

Re: [mailop] BIMI pilot @ Google

Benjamin -Original Message- From: mailop On Behalf Of Ted Hatfield via mailop Sent: jeudi 23 juillet 2020 04:23 To: Matt Corallo Cc: mailop ; Marcel Becker Subject: Re: [mailop] BIMI pilot @ Google Further down in one of the faq's on the bimigroup website is a link to an IETF d

Re: [mailop] BIMI pilot @ Google

On 2020-07-23 03:26 BST, Ted Hatfield via mailop wrote: > It appears that to reach wide spread adoption of this protocol we're going > to be creating a new kind of certificate authority that is specific to > trademarked images and logos. All so we can certify that the logo passes > BIMI verificati

Re: [mailop] BIMI pilot @ Google

Further down in one of the faq's on the bimigroup website is a link to an IETF document. draft-brotman-ietf-bimi-guidance-01 https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-01 It has information on the actual recommended implementation of BIMI including more information about

Re: [mailop] BIMI pilot @ Google

On Wed, 22 Jul 2020 20:59:54 -0400, Matt Corallo via mailop wrote: > but I don't see an answer to this question I assume it's the sentence > We’ll be starting the BIMI pilot in the coming weeks with a limited > number of senders, and with two Certification Authorities to validate > logo ownersh

Re: [mailop] BIMI pilot @ Google

The standard appears to provide no protection whatsoever, but the specific implementation announced by Google relies on CAs to "authenticate" the domains' logo. Seems like there should be a standard for that, too. Matt On 7/22/20 9:17 PM, Ted Hatfield via mailop wrote: > > > On Wed, 22 Jul 20

Re: [mailop] BIMI pilot @ Google

Right, the BIMI website doesn't mention it anywhere, silly me forgot to read the non-official source :). On 7/22/20 9:20 PM, Daniel Jakots wrote: > On Wed, 22 Jul 2020 20:59:54 -0400, Matt Corallo via mailop > wrote: > >> but I don't see an answer to this question > > I assume it's the sentenc

Re: [mailop] BIMI pilot @ Google

On 2020-07-22 20:59, Matt Corallo via mailop wrote: > Maybe I'm missing something, but I don't see an answer to this > question - Ted's point seems well-made and it seems like this will > retrain users to be more vulnerable to phishing attacks by putting the > correct logo on an unrelated domain.

Re: [mailop] BIMI pilot @ Google

On Wed, 22 Jul 2020, Marcel Becker via mailop wrote: On Wed, Jul 22, 2020 at 5:27 PM Ted Hatfield wrote: Maybe this is a stupid question but Excuse me, but: Re-read the Google announcement and https://bimigroup.org ;-)   I read the page at https://bimigroup.org/ The first sta

Re: [mailop] BIMI pilot @ Google

Maybe I'm missing something, but I don't see an answer to this question - Ted's point seems well-made and it seems like this will retrain users to be more vulnerable to phishing attacks by putting the correct logo on an unrelated domain. Matt On 7/22/20 8:30 PM, Marcel Becker via mailop wrote:

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 5:27 PM Ted Hatfield wrote: > > Maybe this is a stupid question but > > Excuse me, but: Re-read the Google announcement and https://bimigroup.org ;-) ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/m

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 5:22 PM Brandon Long via mailop wrote: > An interesting question might be, how would you implement this for an MUA > using IMAP without inbox style exposure... > > THIS is indeed a very relevant question which I don't think we have a (good enough) answer for. It remains a

Re: [mailop] BIMI pilot @ Google

Maybe this is a stupid question but as BIMI is a txt record in dns An example BIMI TXT record. "v=BIMI1; l=https://images.example.com/somedir/logo.svg;"; What exactly keeps someone from publishing their own BIMI TXT record and simply copying your image. How exactly does this improve fraud

Re: [mailop] BIMI pilot @ Google

An interesting question might be, how would you implement this for an MUA using IMAP without inbox style exposure... You'd probably have to do it through your contacts server, ie CardDav. Server side, you could collect all of the avatars and populate them per-user into their Contacts data. That m

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 4:46 PM Jim Popovitch via mailop wrote: > On Wed, 2020-07-22 at 11:56 -0700, Marcel Becker via mailop wrote: > > > > On Wed, Jul 22, 2020 at 11:35 AM Jim Popovitch via mailop < > mailop@mailop.org> wrote: > > > On Wed, 2020-07-22 at 14:49 +0200, Sidsel Jensen via mailop wr

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 4:49 PM Jim Popovitch via mailop wrote: > > Good, DMARC is good, but we don't need yet another standard to get DKIM > and SPF into the wider use. > Based on the data I see on the receiving side I disagree. But that's ok. > I hope you understand that most providers don't

Re: [mailop] BIMI pilot @ Google

On Wed, 2020-07-22 at 11:56 -0700, Marcel Becker via mailop wrote: > > On Wed, Jul 22, 2020 at 11:35 AM Jim Popovitch via mailop > wrote: > > On Wed, 2020-07-22 at 14:49 +0200, Sidsel Jensen via mailop wrote: > > > but if the effect is that it will drive up the adoption rate for DMARC > > > the

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 4:06 PM Jim Popovitch via mailop wrote: > > That's inbox tracking, just like tracking pixels that are > blocked by most reasonable and sane filters/firewalls. > No. It's not. And I explained why. ___ mailop mailing list mailop@m

Re: [mailop] BIMI pilot @ Google

On Thu, 2020-07-23 at 00:19 +0200, Jaroslaw Rafa via mailop wrote: > Dnia 22.07.2020 o godz. 14:27:52 Jim Popovitch via mailop pisze: > > "Once verified, the BIMI file tells the email service where to find the > > sender’s logo and the email service pulls that logo into the inbox." > > > > > > I

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 3:30 PM Jaroslaw Rafa via mailop wrote: > > Do I understand correctly that this works on MUA level and not MTA? > > Long answer: http://bimigroup.org Short answer: no, with BIMI you can't track our users. > I'm putting > "feature" in quotes because I see absolutely no b

Re: [mailop] BIMI pilot @ Google

Dnia 22.07.2020 o godz. 14:27:52 Jim Popovitch via mailop pisze: > > "Once verified, the BIMI file tells the email service where to find the > sender’s logo and the email service pulls that logo into the inbox." > > > I don't think this is anything about DMARC, this is about inbox > tracking. D

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 11:35 AM Jim Popovitch via mailop wrote: > On Wed, 2020-07-22 at 14:49 +0200, Sidsel Jensen via mailop wrote: > > but if the effect is that it will drive up the adoption rate for DMARC > then I am clapping my hands. > > "Once verified, the BIMI file tells the email service

Re: [mailop] BIMI pilot @ Google

>I don't think this is anything about DMARC... BIMI requires an enforced DMARC policy, so the idea is that it will increase adoption because marketing teams will be motivated to put pressure on their security/IT teams to implement DMARC in the hopes of improving brand recognition, reducing phishing

Re: [mailop] BIMI pilot @ Google

On Wed, 2020-07-22 at 14:49 +0200, Sidsel Jensen via mailop wrote: > but if the effect is that it will drive up the adoption rate for DMARC then I > am clapping my hands. "Once verified, the BIMI file tells the email service where to find the sender’s logo and the email service pulls that logo in

Re: [mailop] BIMI pilot @ Google

October will be too soon to have any meaningful results, but February might be more reasonable. --Kurt On Wed, Jul 22, 2020 at 5:50 AM Sidsel Jensen via mailop wrote: > Hi peeps > > I read today at > https://cloud.google.com/blog/products/g-suite/gsuite-security-updates-for-gmail-meet-chat-and-

[mailop] BIMI pilot @ Google

Hi peeps I read today at https://cloud.google.com/blog/products/g-suite/gsuite-security-updates-for-gmail-meet-chat-and-admin - that Google/Gmail is starting a BIMI pilot. I hope Google will