As an aside, I find it interesting that the BIMI Group doesn't have
a Verified Mark (no PEM specified in the "a=" parameter):
https://bimigroup.org/bimi-generator/
Just type "bimigroup.org" in that form and see the results, which
show their logo followed by this notice:
"Note: While your BIMI record is compliant, it doesn't include
a
Verified Mark Certificate that may be required by some mailbox
providers."
With all the money that the two CAs the BIMI Group promotes could
earn, I'm surprised that neither of them has donated a free
certificate.
Of course, I feel compelled to point out that I'm doing the same
thing right now as the BIMI Group is doing (no PEM defined in the
"a=" parameter), and I think this is fine and that it's perfectly
okay for the BIMI Group to do it this way too.
As for the ESP hacking problem, that's one very good example of how
technology ultimately can't solve all social problems.
> The image has to be specified in the DNS, and it has to be certified w/ a
> VMC. The VMC certification process includes checking if it's trademarked.
> So, in order for a trusted brand's BIMI logo to get spoofed, the email
> would have to be DMARC-authenticated and the logo specified in the DNS
> would be the one presented to the mailbox provider when they do DNS lookups
> on the authentication domains. IOW, the only real way to do it would be
> with account takeovers. If you can hack into the ESP account of a trusted
> brand, then you can send fully-authenticated email for that brand, with its
> BIMI logos.
>
> The biggest spoofing risk here is with really inclusive SPF records that
> include an entire cloud SMTP provider's IP ranges, where other senders also
> send from those ranges, and they can then send SPF-authenticated email w/ a
> trusted brand's return-path domain, which would then pass DMARC and BIMI.
> But that's a security risk already, BIMI doesn't make it worse. Cloud SMTP
> providers need to do a better job of locking down the sending domains their
> clients can use to prevent that. However, even there, if the DNS accounts
> of domain owners can be hacked into, authorization of domains can be faked,
> too. But, again, that's an existing risk, which BIMI doesn't make any worse.
>
> -Tim
>
> On Thu, Jan 11, 2024 at 2:35PM Bastian Blank via mailop <mailop@mailop.org>
> wrote:
>
> > On Thu, Jan 11, 2024 at 01:45:19PM -0600, Tim Starr via mailop wrote:
> > > To elaborate on Marcel's answer, so he doesn't have to waste time
> > > explaining it all over again, the "different logo" won't be displayed by
> > > the mailbox providers, because it's not the authenticated one.
> >
> > What prohibits them from making it authenticated? A trademark check?
> >
> > Bastian
> >
> > --
> > Extreme feminine beauty is always disturbing.
> > -- Spock, "The Cloud Minders", stardate 5818.4
> > _______________________________________________
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> >
>
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
