Information for Would-Be VMC Issuers
Some mailbox providers that support BIMI require that the DNS records asserting a domain’s BIMI information contain reference to a Verified Mark Certificate (VMC), as described in the BIMI protocol. VMCs are digital certificates that describe not only the logo to be displayed, but also serve as proof that the logo’s use by the domain has been vetted by a third party. These third parties are referred to as Mark Verifying Authorities, or MVAs for short.
While the AuthIndicators Working Group (AWG) has played a role in developing the technical specifications of the BIMI protocol, including those that describe the contents of a VMC, the AWG does not certify an MVA to issue VMCs. The decision to accept VMCs generated by an individual MVA is left to the discretion of each mailbox provider that supports BIMI, and the following statements are true:
- Each BIMI-supporting mailbox provider can have different rigorous criteria to apply to the decision to accept an MVA’s VMCs.
- An MVA may be required to go through a separate vetting process with each mailbox provider.
- Acceptance of a MVA’s VMCs by one or more BIMI-supporting mailbox providers does not guarantee that the MVA’s VMCs will be accepted everywhere.
Issuance of a VMC by an MVA is done pursuant to published requirements that detail not only the format of the VMC, but also the process by which a claim to use a given logo is validated, as well as other artifacts to be produced by the MVA during the process. Among those artifacts are Certificate Transparency (CT) logs, which an MVA maintains to record each VMC it issues, and Certificate Revocation Lists (CRLs) which list VMCs that the issuer has revoked. The CRLs are both referenced in each individual VMC and kept as a separate list. The published requirements also describe associated third party assessments to which an MVA must periodically subject itself in order to prove its compliance with the requirements.
On this page, the Authindicators Working Group maintains information about MVAs that issue VMCs, including their name, a link to their Certification Practice Statement (CPS), the URL(s) of the CT Log(s) to which each MVA publishes, URL(s) pointing to each MVA’s CRL(s), and the location of each MVA’s most recent audit report as conducted in accordance with the current revision of the VMC Requirements, if available.
|Name of MVA||CPS||CT Log||CRL||Root Cert||Audit Report|
|DigiCert||Digicert Private PKI CPS||https://gorgon.ct.digicert.com/log||http://crl3.digicert.com/DigiCertVerifiedMarkIntermediateCA.crl||Digicert (pem)||Will be published when available|
|Entrust Datacard||Certificate Practice Statement for Entrust SSL Certificates||https://gorgon.ct.digicert.com/log||http://crl.entrust.net/vmc1ca.crl
|Entrust Datacard (pem)||Will be published when available|
The Authindicators Working Group is happy to facilitate introductions between BIMI-supporting mailbox providers and MVAs interested in issuing VMCs. Just fill out our contact form and someone will be in touch with you.