How can I check if a domain uses Entrust or Digicert for BIMI, and should I avoid Entrust?

Key findings

• Direct inspection: You can manually obtain and inspect a domain's VMC to determine the issuer, using command-line tools like openssl x509 -in certificate.crt -text -noout.
• Online tools: Several online BIMI-specific validation tools can automatically pull the BIMI data, including the certificate issuer.
• BIMI DNS record: The BIMI DNS TXT record for a domain contains a URL pointing to the VMC (.pem file). This file can then be downloaded and inspected for the issuer details.
• Google's stance on Entrust: While Google announced distrust for Entrust's public TLS certificates, its stance on Entrust VMCs for BIMI is under assessment, indicating potential future impact. This situation underscores the importance of choosing a reputable VMC issuer, such as DigiCert or Entrust (with caution).

Key considerations

• Impact on logo display: A VMC from a distrusted CA could lead to BIMI logos not displaying, affecting brand visibility and trust. Ensure you understand the requirements for BIMI implementation.
• Vendor stability: When choosing a VMC vendor, consider their long-term stability and compliance with CA/Browser Forum rules to avoid future issues.
• Migration planning: Organizations using Entrust VMCs should understand the process, cost, and time required to migrate to another CA like DigiCert, even if immediate action isn't strictly mandated. This includes knowing the differences between BIMI certificate vendors.
• New implementations: For new BIMI implementations, it is generally safer to choose a VMC provider like DigiCert to minimize risks associated with Entrust's current situation and ensure broader trust across mailbox providers.

Key opinions

• Ease of checking: Marketers appreciate simple ways to check BIMI certificate issuers, often relying on online tools that provide this data automatically. This helps them quickly diagnose issues if their BIMI logo isn't displaying.
• Proactive monitoring: Many marketers wish for more transparent ways to monitor their BIMI status, especially for the VMC issuer, to avoid surprises. Ensuring your BIMI setup is correct is key.
• Cautious approach to Entrust: There's a general sentiment that for new BIMI implementations, choosing a provider other than Entrust (such as DigiCert) is the safer bet due to the uncertainty surrounding Google's future trust in Entrust's VMCs.
• Importance of VMC: Marketers recognize that a VMC is a critical component for BIMI display, especially on major mailbox providers. Understanding whether a VMC certificate is always required is a common point of discussion.

Key considerations

• Brand reputation risk: Any disruption to BIMI logo display due to certificate issues can negatively impact brand recognition and trust among subscribers.
• Migration complexity: Switching VMC providers involves administrative effort, potential costs, and careful coordination to ensure continuous logo display without interruption.
• Staying informed: It is important for marketers to stay updated on announcements from major mailbox providers and certificate authorities regarding BIMI and VMC requirements.
• Vendor support: Choosing a VMC provider with robust support is essential for troubleshooting and ensuring compliance with evolving standards.

Key opinions

• Technical verification: Experts confirm that VMC issuer information can be extracted directly from the certificate linked in the BIMI DNS record, often using command-line tools like dig and curl combined with openssl.
• Entrust's compliance issues: Google's Chrome team views Entrust as having intentionally violated CA requirements and broken rules due to incompetence, leading to severe penalties for their public TLS certificates, though BIMI VMCs are being assessed separately. This situation directly impacts considerations like whether DigiCert is the only working VMC issuer for Google BIMI.
• Strategic vendor choice: Experts advise that for VMCs, choosing DigiCert is a safe and reliable option given the current landscape, as it minimizes security concerns and ensures broad acceptance.
• Broader security implications: The issues with Entrust extend beyond standard SSL certificates, touching on their overall adherence to security protocols, which could impact other security-sensitive services. Proper DMARC configuration is also crucial, as detailed in how to set up DMARC for BIMI.

Key considerations

• Future trust: While Entrust aims to rectify its issues, it will take time for them to regain full trust from the security community and major players like Google. This uncertainty makes them a less desirable option for new, security-critical implementations.
• Continuous assessment: Organizations using Entrust VMCs should conduct continuous assessments of their BIMI performance and be ready to transition to another CA if trust issues escalate.
• No immediate impact on VMCs: At present, the announced distrust of Entrust's public TLS certificates does not directly cover VMCs, but the situation is evolving. Google is internally assessing the situation.
• Due diligence: Perform thorough due diligence when selecting a VMC provider, considering their reputation, adherence to standards, and track record within the certificate ecosystem.

Key findings

• VMC issuer requirements: BIMI requires VMCs to be issued by a limited number of approved Certificate Authorities, specifically DigiCert and Entrust (Datacard), who are authorized to issue Mark Certificates. Understanding this is key to selecting an accredited certificate provider.
• BIMI DNS record structure: The BIMI DNS TXT record includes an a= tag that points to the URL of the Verified Mark Certificate. This URL is a direct path to the certificate file for inspection.
• MVA role: Mark Verifying Authorities (MVAs) like CAs are responsible for verifying that logos are authorized for use with BIMI, playing a crucial role in preventing unauthorized or fraudulent logo use, as highlighted by the BIMI Group's documentation.
• Certificate transparency logs: Certificate Transparency (CT) logs provide a public record of issued certificates, which can be reviewed to verify the issuer of any VMC.

Key considerations

• Compliance with standards: Ensure that your chosen VMC provider fully complies with all CA/Browser Forum rules and BIMI specifications to avoid future deprecation or trust issues.
• VMC validation: Regularly validate your BIMI SVG file and VMC to ensure they meet all technical requirements for displaying your logo, as detailed in guides on validating your BIMI setup.
• Trademark requirement: A key requirement for obtaining a VMC is proof of trademark registration for the logo. The CA will verify this during the issuance process.
• Dynamic nature of trust: The trust placed in Certificate Authorities can change, as evidenced by Google's actions. Organizations should monitor updates from major mailbox providers and certificate bodies to ensure ongoing compatibility and trust.