I don't know what the calculus will be for Google's trust of Entrust-issued BIMI certificates, but I am pretty sure that they won't be announcing that policy on MDSP—you could ask in a Google forum of some kind, but I think most likely you just have to wait for the announcement if/when it comes.
(I personally think Entrust will not keep the BIMI business around by itself even if the root somehow stays trusted, but it's possible they were completely compliant with all BIMI-related requirements!) Mike On Thu, Jun 27, 2024 at 4:51 PM Kurt Seifried <[email protected]> wrote: > We've never had a situation like this, partly due to the fact there are > only two VMC sellers, Entrust and Digicert (as I understand it everyone > else selling these is a reseller). But I can't see why the issues at > Entrust would be restricted to their web cert business and not the VMC > business (which are virtually identical products/processes). And thus I > can't imagine why the rest of Google wouldn't remove their trust in Entrust > as well. > > On Thu, Jun 27, 2024 at 2:47 PM Mike Shaver <[email protected]> wrote: > >> AFAIK, BIMI certs are not related to the browser root stores in any way, >> and aren’t signed by server certificate roots. >> >> Mike >> >> On Thu, Jun 27, 2024 at 4:31 PM 'Kurt Seifried' via >> [email protected] <[email protected]> wrote: >> >>> Also do we know what is happening with their VMC root cert? CN = Entrust >>> Verified Mark Root Certification Authority - VMCR1 which is used for >>> Verified Mark Certificates aka BIMI logos, and is currently supported in >>> Gmail? Do we know if Gmail be removing support for Entrust based VMC >>> certificates and thus BIMI logos done via Entrust? Seeing as how your >>> choices for buying a BIMI/VMC cert are Entrust (or a reseller) and Digicert >>> the removal of trust in CN = Entrust Verified Mark Root Certification >>> Authority - VMCR1 will basically break most BIMI logos in any email >>> platform that supports BIMI and decides to remove Entrust.. >>> >>> Example: >>> >>> $ wget https://bimi.entrust.net/cloudsecurityalliance.org/certchain.pem >>> $ while openssl x509 -noout -text; do :; done < certchain.pem >>> >>> And for additional context on who uses Entrust: >>> https://bimiradar.com/glob#logos >>> >>> -- >>> Kurt Seifried (He/Him) >>> [email protected] >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa39KCFVyaMWOfMR%3Dc%3DskCK8byzjmX6unva0RCLe8Z_5uWA%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa39KCFVyaMWOfMR%3Dc%3DskCK8byzjmX6unva0RCLe8Z_5uWA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqvp-RMEB3QbuydSiEz1-jKY7_TSiuLDj1ntMaB8ALoeGw%40mail.gmail.com.
