1. 10

  2. 17

    Submitter here; I’ve submitted this not because I think it’s a good idea, but because the requirement for EV SSL certificates is another troubling step in pushing access to users in favor of large incumbent players. How long before deliverability from domains without EV certs is penalized?

    1. 14

      When I started reading this, my immediate thought was that it sounded like some attempt by the “CA” members of the CABForum to shore up their business model, somehow. It just smelled like an old turd the CAs had tried to get entrenched in the standards a while back, where the ultimate plan was to have the browsers display some certified logo as a consequence of verifying some certificates.

      Then I scrolled down to this:

      To add an additional layer of security, bodies governing BIMI, referred to as Mark Verifying Authorities (MVA), will ask for additional proof of domain ownership. To get in, you’ll need to obtain an EV (Extended Validation) certificate and meet several additional requirements

      and it started to smell even more like their brand.

      Reading the standard a little more, it’s easy to see that anyone who’s issuing EV certificates to the CABForum’s standards already does just about all of what an MVA would need to do. And MVAs would function by issuing Mark Verifying Certificates (MVCs). And MVAs would need to be approved by the CABForum.

      This is an attempt by the existing CAs to maintain their relevance now that all of their automated vetting functions are being done at no charge by the likes of LetsEncrypt.

      It won’t be a shock if marketing emails need to pay this toll in the not-too-distant future to avoid getting marked as spam by large email providers. The main glimmer of hope that this won’t take hold too strongly is that I don’t think transactional emails can, as a practical matter, go down this path.

      1. 7

        If you’re implementing support for this in an mail-system, please fetch/cache the image upon receipt, instead of letting this be a user-tracking feature where the image is pulled when the message is opened! A wildcard EV cert and a sub-domain sender per recipient would let you adjust the URL to be retrieved per recipient and bypass tracking pixel protections.

        1. 4

          Yes, this is EV certificates again, but I don’t think it’s a bad idea overall.

          E-mail phishing is a real problem. Verification of e-mail authenticity is a total mess. E-mail clients don’t even treat “From” as a security-critical part of the UI like address bar in web browsers.

          Humans are poor at spotting absence of security indicators, but a familiar brand logo displayed front-and-center has a better chance of working than a generic green padlock.

          CAs charging for automatic DV certs was a farce, but for EV they are supposed to actually perform searches and manually verify trademarks. This involves human labor, so charging for it is fair.

          1. 2

            I think my concern is that large email providers will, once this or a similar scheme gains enough mass, start dumping any email that hasn’t paid this tax (I’m calling it that even while I grant you the verification is a fair thing to charge for) into spam folders.

            While I have a hard time getting very worked up about that for marketing things, if it makes it harder to self host one’s own email, or to get automated transactional emails for a new application delivered to users who’ve requested them, then I think the cure is worse than the disease.

            1. 2

              Self-hosting e-mail is already complex and expensive in practice. Not because of cartels, but because everything that could send e-mails easily and cheaply has been ruined by spammers.

              1. 2

                But also because of cartels, or at least because of a handful of near-monopoly players with coinciding interests.

          2. 3

            The EV cert requirement makes no sense to me. The image isn’t stored in the cert, it’s DNS+HTTPS. Could work fine with any cert.

            1. 1

              I agree, the EV certificate is a showstopper.

              1. 1

                The problem is that anyone can set their own DNS+HTTPS to serve a PayPal-looking logo. It needs a human to say “no, this logo looks misleading, it’s not yours”.

                1. 2

                  EV never worked to prevent this, though. Major browsers all either have dropped or are in the process of dropping any special address-bar indicator of EV cert, precisely because it didn’t help and the workarounds were always trivial anyway – everything from stolen identity documents (no obstacle for someone already committed to a criminal enterprise), to just straight-up registering a throwaway business somewhere (which was Ian Carroll’s infamous example; he registered a new company in Kentucky under the name “Stripe, Inc.”) can get you an EV cert.

                  1. 1

                    I think this time it’s substantially different to give it another shot:

                    • It’s a familiar logo in a prominent location in a relatively uncluttered list that user actively clicks on. That’s different than a slightly different flavor of a padlock, displayed passively out of the view, next to spoofable favicons, between half a dozen of other gadgets.

                    • It’s riding the trademark law. Companies know how to zealously defend that. Apple sues companies with a pear in their logo.

                    There’s still the jurisdiction loophole, which sucks. But at least trademarks are per country, not per state. Maybe they could require either a more widely registered trademarks, or e-mail clients could be smart enough to display the logo only when the user’s country is within trademark’s jurisdiction. This is another advantage over company registration: you can have company registered in one place and trade world-wide, but you’re supposed to have your trademark registered everywhere you trade.

                  2. 1

                    Yes, but… the logo is not in the EV cert. So even if they check the DNS record and URL before giving out the cert (unlikely, since it’s an unrelated spec) you could just change the logo image after you get the cert.

                    1. 3

                      The article omits this, but the BIMI spec does have a Mark Verified Certificate that validates the image itself. I hope nobody is going to deploy this without verifying the cert, as otherwise that’d be nothing but a complicated favicon.

                      1. 1

                        Would you happen to have a link to the format (or just a sample) of a Mark Verified Certificate? I spent a few minutes casting around for one and could only find press releases from CAs harboring ambitions of issuing them or unlinked references that weren’t specific enough for me to find a draft in the IETF. The descriptions I did find left me a little uncertain whether the artifacts for relying parties would actually carry the logo itself as opposed to a URL controlled by the entity that is being certified.