All, We want to thank everybody who has participated in the discussion for their detailed reviews of Entrust's updated report and thoughtful contributions. We have not yet made a final decision and are reviewing the community's comments and Entrust's updated response closely.
Sincerely yours, Ben Wilson Mozilla Root Store Manager On Thursday, June 27, 2024 at 3:04:03 PM UTC-6 Mike Shaver wrote: > I don't know what the calculus will be for Google's trust of > Entrust-issued BIMI certificates, but I am pretty sure that they won't be > announcing that policy on MDSP—you could ask in a Google forum of some > kind, but I think most likely you just have to wait for the announcement > if/when it comes. > > (I personally think Entrust will not keep the BIMI business around by > itself even if the root somehow stays trusted, but it's possible they were > completely compliant with all BIMI-related requirements!) > > Mike > > > On Thu, Jun 27, 2024 at 4:51 PM Kurt Seifried <k...@seifried.org> wrote: > >> We've never had a situation like this, partly due to the fact there are >> only two VMC sellers, Entrust and Digicert (as I understand it everyone >> else selling these is a reseller). But I can't see why the issues at >> Entrust would be restricted to their web cert business and not the VMC >> business (which are virtually identical products/processes). And thus I >> can't imagine why the rest of Google wouldn't remove their trust in Entrust >> as well. >> >> On Thu, Jun 27, 2024 at 2:47 PM Mike Shaver <mike.sha...@gmail.com> >> wrote: >> >>> AFAIK, BIMI certs are not related to the browser root stores in any way, >>> and aren’t signed by server certificate roots. >>> >>> Mike >>> >>> On Thu, Jun 27, 2024 at 4:31 PM 'Kurt Seifried' via >>> dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> wrote: >>> >>>> Also do we know what is happening with their VMC root cert? CN = >>>> Entrust Verified Mark Root Certification Authority - VMCR1 which is used >>>> for Verified Mark Certificates aka BIMI logos, and is currently supported >>>> in Gmail? Do we know if Gmail be removing support for Entrust based VMC >>>> certificates and thus BIMI logos done via Entrust? Seeing as how your >>>> choices for buying a BIMI/VMC cert are Entrust (or a reseller) and >>>> Digicert >>>> the removal of trust in CN = Entrust Verified Mark Root Certification >>>> Authority - VMCR1 will basically break most BIMI logos in any email >>>> platform that supports BIMI and decides to remove Entrust.. >>>> >>>> Example: >>>> >>>> $ wget https://bimi.entrust.net/cloudsecurityalliance.org/certchain.pem >>>> $ while openssl x509 -noout -text; do :; done < certchain.pem >>>> >>>> And for additional context on who uses Entrust: >>>> https://bimiradar.com/glob#logos >>>> >>>> -- >>>> Kurt Seifried (He/Him) >>>> k...@seifried.org >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "dev-security-policy@mozilla.org" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to dev-security-policy+unsubscr...@mozilla.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa39KCFVyaMWOfMR%3Dc%3DskCK8byzjmX6unva0RCLe8Z_5uWA%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa39KCFVyaMWOfMR%3Dc%3DskCK8byzjmX6unva0RCLe8Z_5uWA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >> >> -- >> Kurt Seifried (He/Him) >> k...@seifried.org >> > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/47aaa5ec-9309-4406-ba5e-376a4812186bn%40mozilla.org.
