I guess I'm a geezer. I started building my own website in 1995 on a corporate intranet. In In 2011 I had my first two sites on the public internet, as a volunteer for two disaster response non-profits. In 2013 I was asked again to volunteer to create and maintain a website for my high school graduating class.
I can remember:
When domain name registrations were expensive and when competition brought the price down.
When the browsers started enforcing SSL-->TLS and the certificates were costly.
When Let's Encrypt was founded. About two months after that, I asked the (small) hosting company to support TLS and they responded that they would have to charge $200 since they would have to get a certificate for our domain. I educated them about Let's Encrypt--they were delighted to learn--and a month later they had it ready to test. (It's still operational.) I am still grateful for the groundbreaking support from Let's Encrypt and donate to ISRG whenever I am solicited.
The pattern seems to be:
A new protocol/RFC is issued.
The new protocol soon becomes obligatory.
Providers offer expensive solutions.
Some group offers a less expensive or free solution.
Users quickly or gradually migrate to the solution providing the same function at lower cost.
ISRG/Let's Encrypt was, of course the free solution after the major browsers made TLS obligatory.
Now another protocol, BIMI, has come along and what are we seeing? Predatory Registrars! Brand Indicators for Message Identification (BIMI) provides for the display of organization logos in email recipients' Inboxes.
This, of course, is all about branding. One could argue that small non-profit organizations are even more dependent on branding than behemoths like those in the illustration.
There are two BIMI options. Organizations with registered trademarks can get a Verified Mark Certificate (VMC). Organizations with logos that have been in use for more than 12 months (easy to demonstrate at archive.org) can get a Common Mark Certificate (CMC).
The organization must be responsible email user, supporting SPF, DMARC, and DKIM. Essentially this means establishing a contact for mail issues (postmaster), and a contact for complaints (abuse) and adding those contacts to their DNS listing. These actions cost the organizations nothing.
But adding the BIMI information (a https link to an image file) requires a CMC or VMC certificate. And here is where the parallel to TLS and Let’s Encrypt occurs. The current certificate providers charge ~$1000/year for a certificate. This is exclusionary. The effort in validating once involves a lookup at the USPTO or archive.org and an NSLOOKUP. In subsequent years the archive.org could be skipped.
By this time you’ve probably guessed that I am proposing that ISRG/Let’s Encrypt become a free BIMI Certificate registrar. Please give this some consideration and let me know if there is any further information I can provide.
Thank you for the prompt response, I completely understand that Let’s Encrypt works because it’s completely automated. I thought that complete automation of images would be obvious. Here are more details.
Your application form asks for the current image at the location to be used for the CMC entry in DNS and an example date from archive.org
The application runs a binary compare on the two samples.
C:\Users\customer\downloads>fc /b "Current WIDTlogo.jpg" "9-27-2011 WIDTlogo.jpg"
Comparing files Current WIDTlogo.jpg and 9-27-2011 WIDTLOGO.JPG
FC: no differences encountered
Once the user has provided the two locations for the same logo, downloading them and doing a binary file compare seems quite automatable. Have I missed something?
Even for CMC certificates that seem automatable, the verification performed by CAs is definitely more than just a simple comparison between the Wayback Machine and the current logo on the website. What if I use a logo that is visually identical to Google's but different from a computational perspective?
Furthermore, CMC is only supported by Gmail. While VMC is supported by more ESPs, I don't see the benefit of this feature for most users. It is just like EV SSL certificates; except for a few users with specialized knowledge, most people cannot understand their purpose. I believe most users simply do not care about brand logos in emails.
except for a few users with specialized knowledge, most people cannot understand their purpose. I believe most users simply do not care about brand logos in emails.
I agree that people may not understand the purpose, but they will grasp that it is a stamp of trustworthiness of the email they are about to open. Isn’t that what we learned about the padlock in the browser’s address window. Let’s Encrypt was the driver in making web browsing secure. It makes sense that Let’s Encrypt would also do what it could to make email more secure.
There are multiple reasons to make BIMI more easily available.
Branding is important to small nonprofits. BIMI provides enhanced brand visibility and increased user engagement.
BIMI also encourages greater security–the same goal that fostered the formation of Let’s Encrypt. Because BIMI requires properly-formed SPF, DKIM, and DMARC, adoption of BIMI will increase adoption of these protocols, stronger email authentication, yielding improved email trustworthiness, and reduced phishing and spoofing.
Thank you for the prompt response and for your patience.
Good point. Patents are also processed at the USPTO. I did patent engineering. I had automated screen-scraping patents to produce presentation materials and had to produce a fairly complex rule set to get claims from various patents to appear in the same format.
However, that concern only applies to VMC certificates, As you may have noticed, I’ve been concentrating on CMC certificated.
Before Let’s Encrypt was available, only the big outfits could afford SSL→TLS. Let’s Encrypt enabled the little guy. It’s the same thing with BIMI. The big guys could afford trademarks and expensive VMC and CMC. It’s up to Let’s Encrypt to enable CMC for the little guys.
Thank you for sending the draft RFC reference. It’s been over 30 years since I was on an IETF Working Group. I worked on the MIB for T-1 carriers, the only one with experience on the actual interface and its signalling.
I am quite certain that the baseline requirements do not agree with this.
Just like the EV green bar, its true meaning is difficult for ordinary internet users to understand and can be easily misleading, which is why mainstream browsers no longer use them.
CMC and VMC currently seem to offer identity-related benefits only because of their high cost and complex verification processes. Once they become as ubiquitous as SSL certificates—with prices falling or even becoming free—I have no doubt that thousands of attackers will forge the brand identifiers of others.
VMC relies at least on government trademark authorities to provide a certain level of protection, whereas CMC only requires using the logo for one year on a website that likely receives no traffic. This is also why only Gmail supports CMC, and it does not provide a verified mark for CMC, but rather just displays a logo for the sender. A fun fact: if you don't have a large number of sending addresses, creating a Google Workspace account for each sending address and setting a profile picture for it will allow Gmail users to see your logo—at a much lower cost.
Yes, Chrome dropped it to make it easier to clear cookies for individual websites. (There were too many bad help desks that told users to clear all cookies, not just those of faulty websites, leading to dissatisfaction.) Here’s Edge where I’m writing this:
A fun fact: if you don't have a large number of sending addresses, creating a Google Workspace account for each sending address and setting a profile picture for it will allow Gmail users to see your logo—at a much lower cost.
One of the organizations I represent is, in fact, using Google Workspace for Non-profits with our own domain. I’m told that this would be visible but not for “outside users.” I took that to mean “visible only to users on our own domain” and not other Google users. I think I will experiment with this.
