VMC Issuer Information
While the AuthIndicators Working Group (AWG) has played a role in developing the technical specifications of the BIMI protocol, including those that describe the contents of a VMC, the AWG does not certify an MVA to issue VMCs. The decision to accept VMCs generated by an individual MVA is left to the discretion of each mailbox provider that supports BIMI, and the following statements are true:
- Each BIMI-supporting mailbox provider can have different rigorous criteria to apply to the decision to accept an MVA’s VMCs.
- An MVA may be required to go through a separate vetting process with each mailbox provider.
- Acceptance of a MVA’s VMCs by one or more BIMI-supporting mailbox providers does not guarantee that the MVA’s VMCs will be accepted everywhere.
Issuance of a VMC by an MVA is done pursuant to published requirements that detail not only the format of the VMC, but also the process by which a claim to use a given logo is validated, as well as other artifacts to be produced by the MVA during the process. Among those artifacts are Certificate Transparency (CT) logs, which an MVA maintains to record each VMC it issues, and Certificate Revocation Lists (CRLs) which list VMCs that the issuer has revoked. The CRLs are both referenced in each individual VMC and kept as a separate list. The published requirements also describe associated third party assessments to which an MVA must periodically subject itself in order to prove its compliance with the requirements.
On this page, the Authindicators Working Group maintains information about MVAs that issue VMCs, including their name, a link to their Certification Practice Statement (CPS), the URL(s) of the CT Log(s) to which each MVA publishes, URL(s) pointing to each MVA’s CRL(s), and the location of each MVA’s most recent audit report as conducted in accordance with the current revision of the VMC Requirements, if available.
|Name of MVA||CPS||CT Log||CRL||Root Cert||Audit Report||Date of Issuance of Audit Report||Date of Oldest VMC Subject to Current Audit|
|Digicert (pem)||Audit Report||24 January 2022||12 July 2021|
|Entrust (pem)||Audit Report||11 May 2022||9 July 2021|
MVAs interested in issuing VMCs must provide the following details to be considered for inclusion in the list of approved providers. Submit the information displayed in the chart above and the information provided will be published (typically) within 10 business days. Fill out our contact form with the required information for inclusion.
This list is provided as a courtesy to the MVA community.
Note: Inclusion on this list does not guarantee that a provider will honor your VMC. The AuthIndicators working group has no decision making power in which MVAs are accepted or not.