Re: [mailop] [E] Re: BIMI status and interoperation possibilities

[Marcel Becker via mailop]

On Tue, Nov 9, 2021 at 8:16 AM Mary via mailop  wrote:

>
> The moment I read that BIMI requires payment, my mind went to the paid SSL
> certificates and how its all about scamming normal people for money they
> shouldn't pay in the first place.
>
>
BIMI itself is free (as free as DMARC or any other DNS text records can
be). VMCs might cost money.
Not all MBPs evaluating BIMI records require a VMC.

- Marcel
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] BIMI status and interoperation possibilities

[Mary via mailop]

The moment I read that BIMI requires payment, my mind went to the paid SSL 
certificates and how its all about scamming normal people for money they 
shouldn't pay in the first place.

Once it becomes free (for example if Let's Encrypt starts supporting BIMI) they 
I'll consider it, otherwise no thanks :)



On Mon, 8 Nov 2021 20:54:00 -0500 Tom Kulzer via mailop  
wrote:

> Emails from our blog come from the aweber.com domain which uses BIMI and is 
> VMC authenticated.
> 
> https://blog.aweber.com/
> 
> -Tom
> 
> 
> > On Nov 1, 2021, at 12:26 PM, Vsevolod Stakhov via mailop 
> >  wrote:
> > 
> > Hello Al,
> > 
> > That works like a charm, thank you!
> > 
> > [2021-11-01T16:09:24.566Z INFO  bimi_agent::mini_pki] added trusted CA
> > cert with fp
> > 504386c9ee8932fecc95fade427f69c3e2534b7310489e300fee448e33c46b42
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] got valid pem for
> > domain cnn.com
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verify domain cnn.com
> > against pattern cnn.com
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verified name for
> > domain cnn.com
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verified expiry for
> > domain cnn.com
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verified key usage for
> > domain cnn.com
> > [2021-11-01T16:09:24.568Z DEBUG bimi_agent::cert] verified PKI for
> > domain cnn.com
> > [2021-11-01T16:09:24.568Z DEBUG bimi_agent::cert] got data url for cnn.com
> > [2021-11-01T16:09:24.568Z DEBUG bimi_agent::cert] got data url for
> > data:image/svg+xml;base64,H4...
> > [2021-11-01T16:09:24.569Z INFO  bimi_agent::handler] processed
> > certificate for cnn.com
> > 
> > They use the same digicert chain and are hosted by Valimail.
> > 
> > For now, I'm interested in VMC based BIMI records as I have totally no
> > ideas about what to do with non-VMC as any malicious actor can send
> > their email and publish, e.g. Google logo for any possible domain once
> > it has valid DMARC as well.
> > 
> > I could use our DMARC_WHITELIST list for that purposes but I need to
> > think about it...
> > 
> > VMC is hard and expensive to obtain indeed but it provides at least some
> > level of trust.
> > 
> > Presumably we should use other consensus and authority system for this
> > stuff nowadays aside of PKI with CA who could clearly do bad things for
> > profit (like they did many times in the past).
> > 
> > I would also like to say thanks to other people who have replied as I
> > don't want to amplify ML traffic by individual messages solely with this
> > purpose :)
> > 
> > On 01/11/2021 15:40, Al Iverson wrote:  
> >> CNN has implemented VMC:
> >> https://www.digicert.com/news/pr/digicert-issues-certificate-to-cnn-for-bimi-email-standard/
> >> https://xnnd.com/dns.cgi?t=bimi=cnn.com
> >> Their newsletters would be good emails to sign up for, for testing
> >> your BIMI implementation:
> >> https://www.cnn.com/newsletters
> >> 
> >> If you want mail from a non-VMC using sender that publishes a BIMI
> >> record, perhaps wish.com?
> >> https://xnnd.com/dns.cgi?t=bimi=wish.com=
> >> https://www.wish.com/
> >> 
> >> Hope that helps!
> >> 
> >> Cheers,
> >> Al Iverson
> >> 
> >> On Mon, Nov 1, 2021 at 10:08 AM Vsevolod Stakhov via mailop
> >>  wrote:  
> >>> 
> >>> Hello,
> >>> 
> >>> I'm currently building a prototype of BIMI agent in Rspamd as per this
> >>> Github issue: https://github.com/rspamd/rspamd/issues/3935
> >>> 
> >>> However, this technology seems to be very immature and only fragmentary
> >>> documented in some aspects. I was able to find just one (!) valid VMC
> >>> for `valimail.com` domain in the wild. Other participants of the BIMI WG
> >>> either do not publish BIMI records (e.g. Google), provide just an image
> >>> without VMC (e.g. Proofpoint) or even publish an expired VMC (e.g.
> >>> Paypal)...
> >>> 
> >>> Furthermore, even a valid VMC from Valimail does not include any
> >>> system-wide trusted CA apart of the specific VMC CA that is not trusted
> >>> by system nor cross-signed by other DigiCert CAs (so I had to implement
> >>> my own PKI based on trusted fingerprints which is acceptable but not
> >>> pleasant).
> >>> 
> >>> For now, I'm looking for some other options to test BIMI and one thing
> >>> I'm missing critically is an example of an email that could be validated
> >>> by DMARC for the domain that have a valid BIMI record (either normal but
> >>> preferably with VMC). So I would appreciate any help in getting such
> >>> messages, e.g. if anyone who can send email on behalf of Valimail.com
> >>> domain could send me a message with any content to my personal email.
> >>> 
> >>> I would also appreciate any information about where to get further
> >>> details without signing any sort of bogus agreements which I personally
> >>> will never ever sign (as I have a strong belief that all Internet
> >>> standards must be open for the general public).
> >>> ___
> >>> 

Re: [mailop] [E] MacOS Contacts and automatically collected email addresses

[Otto J. Makela via mailop]

On 05/11/2021 16.18, Marcel Becker via mailop wrote:


Now it's quite possible that other contact sources you have
configured on our Mac are in fact doing what you are describing. (ie
If you have Google Contacts configured and Google might be doing
interesting things). Also note that Apple Contacts will "merge" cards
from multiple sources if it thinks they are the same. But that is
purely "virtuel" and you can "unlink" them. That too should not have
any impact on anything else.


There may indeed be other variables and devices at play here — eg. I have
a suspicion that Siri, Google Assistant or Android devices do this kind of
things to be "helpful". We are a Linux/MacOS/Windows house, with also the
option for some BYOD, so there is room for all kinds of interactions here.

However, whatever the cause, the end result (which we repeatedly have seen
in action) is same: in the user's Mac Mail email directory, the "canonical"
email address for an user suddenly gets bumped by another address.
This plays havoc with calendar functions, as I noted.


But now we really completely left the topic of "mailop"

True, but these days calendars and contacts have unfortunately
become a part of the "email user experience", like it we or not.

--
   /* * * Otto J. Makela  * * * * * * * * * */
  /* Phone: +358 40 765 5772, ICBM: N 60 10' E 24 55' */
 /* Mail: Mechelininkatu 26 B 27,  FI-00100 Helsinki */
/* * * Computers Rule 0100 01001011 * * * * * * */
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop