lieser
commented
8 months ago What follows is a little longer description about the current use case of BIMI. I understand your (and others) concern about the requirement of payed certificates, but at least for how I want to use BIMI in my add-on I think the certificates adds a required value. More concrete answers to your questions are at the bottom.
I can think of the following different use cases for wanting to show and icon besides the sender, e.g. using BIMI:
- Just for allowing senders to show some icon to make it look nicer, similar to how they can already influence the display name.
- As an explicit security feature, to make it more easy for users to recognize that a mail comes from a specific trusted source. I.e. when the user sees the PayPal icon he can be sure the mail is coming from PayPal.
The icon this addon shows was added for the second use case. This use case requires that there is some trust relation between between the shown icon and the SDID of the DKIM signature. And I mean with this not just that the domain kind of signs that icon it wants to be shown. But to also make sure a malicious domain is not able to use an icon from another well known brand.
Currently the add-on has two such sources for this trust relation:
- An internally maintained mapping. For more information see https://github.com/lieser/dkim_verifier/wiki/Contribute#sign-rules-and-favicons.
- BIMI
Now about BIMI, and how the add-on is using it. First note that the add-on is not doing any BIMI lookup or VMC verification itself. It just reads the BIMI result a mail server wrote into the Authentication-Results header (ARH).
It will show the icon from BIMI if the ARH contains a bimi=pass result, there policy.authority=pass is set.
The policy.authority is where the trust relation between the icon and the domain comes from.
When exactly will a mail server write the policy.authority=pass into the ARH? The description of policy.authority is a little vague. But my current interpretation is that the severs is basically promising us that it verified in some undefined way (which is a detail that should not really matter to us) that the icon it wrote into the BIMI-Indicator header can be trusted to belong to the domain.
A Verified Mark Certificate (VMC) is for me just one valid source of such verification. A server could also use some other way to ensure this trust relation, e.g. by maintaining some internal mapping similar to what this add-on is currently doing.
The certificate check is not mandatory, so would it be possible to relaxe BIMI certificate check, at least for some well known domains ?
Like I wrote above, the add-on itself is not doing any BIMI certificate checks, and strictly also does not require it to be done. But in practice a valid VMC is probably currently the only way a mail sever will write the required policy.authority=pass into the Authentication-Results header (ARH).
And the add-on will continue to require this.
I did put a BIMI in my domain and i'm able to see it with FairEmail. Should be nice to see that in this extension.
BIMI is not the only way for this add-on to show and icon, your domain could also be added to an internal list of trusted domains. More information at https://github.com/lieser/dkim_verifier/wiki/Contribute#sign-rules-and-favicons.
Or allow to sign the svg graphic file with a an OPENPGP public key DNS record instead of the special certificate.
I don't see how this would be enough for the trust relationship between the icon and domain this add-on requires.
BIMI is not practicable for individuals or small Companies because of the price of the certificate and the necessity to have a brand record for the logo. The certificate check is not mandatory, so would it be possible to relaxe BIMI certificate check, at least for some well known domains ?
Nowadays all other protections, SSL, DNSSEC, SPF, DKIM, DMARC, DANE, Blacklists, virus scans, spams scans, content analysis, give a very good level of protections even without one more certificate.
I did put a BIMI in my domain and i'm able to see it with FairEmail. Should be nice to see that in this extension.
Or allow to sign the svg graphic file with a an OPENPGP public key DNS record instead of the special certificate.
I could test that if necessary.