Dnia 11.01.2024 o godz. 14:34:16 Laurent S. via mailop pisze: > The trademark verification is only for those that pay for it. Nothing > forbids a MUA from displaying an unverified BIMI. Most are luckily not > doing it (yet), I just want to warn that if this becomes common, it will > be abused for sure. I don't think that the regular user will check if > the little extra lock is there on the icon. They'll see a version of the > paypal logo on the phish and have an extra feeling of safety.
Dnia 11.01.2024 o godz. 17:52:34 G. Miliotis via mailop pisze: > What I believe will happen is most non-big mail client apps will > support BIMI if they support avatars, otherwise, they won't, cause > the arguments on the receiver side are the same for both features. > > I don't buy the "promoting authentication" argument. And it's clearly visible from the Laurent's mail that if MUAs will display the unverified BIMI logos (and what would prohibit them from that?) the "authentication" factor can be even weaker than with no avatars at all - because user who is convinced that the logo being displayed means that the message is genuine, may not even look at the actual sender field. Also, if a hypothetical MUA displays BIMI logos, but also displays avatars obtained by other means (one of the users in the thread mentioned a MUA he develops that uses eg. favicons, or Gravatar service for that purpose), how the user is supposed to distinguish which avatars are verified BIMI logos, and which ones come from a totally different source? Trying to look at the "broad picture", I realized that the whole concept of BIMI may actually work as designed *only* if MUA developers could be somehow *legally prohibited* from displaying any other avatars than verified BIMI logos. Which not only seems totalitarian in nature, but also politically completely impossible to actually implement. Otherwise, the non-BIMI avatars displayed along the messages, mixed with BIMI ones, will just facilitate phishing instead of making it more difficult. All the manual work on verifying logos and money invested into it will be basically a wasted effort. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop