Stop using Entrust for your BIMI Certificates

In July I talked about how Entrust was mistrusted by, well, pretty much everyone due to a years long series of security and trust violations.

At that time Google had removed Entrust from the certificate roots trusted by the Chrome browser – the nuclear option, showing that Entrust is really, really not seen as trustworthy. They hadn’t – yet – taken any action regarding BIMI VMCs issued by Entrust.

Apple

But Apple have recently stated they’re taking similar action with their set of trusted roots, such that any certificate issued by Entrust after November 15th will be treated as untrusted.

And that includes BIMI certificates:

The following Root CA Certificate is impacted for Brand Indicator for Message Identification (BIMI):

Certificate Name SHA-256 Fingerprint

Entrust Verified Mark Root Certification Authority – VMCR1 – 7831D95A47D42508CD5C9E6264F9096BAC19F04EB9B7C8BDD35FFFC71C18961

Entrust

This is what Entrust have to say about it:

What now?

If you’re using DigiCert for your BIMI certificates there’s nothing to worry about.

If you’re using Entrust, and your certificate was issued before November 15th 2024 then it will continue working at Apple for now – but when it’s renewed it will stop working. You should make sure you have a path in place to migrate to a certificate issued by DigiCert before your current certificate expires. If it were me, I’d start that migration as soon as I was back in work in January.

If you’re using Entrust and your certificate was issued after November 15th 2024 then it is not considered valid by Apple, and will stop working as systems are updated. You should migrate to DigiCert as soon as possible (and probably try and claw back any payment made to Entrust).

What CA am I using for BIMI?

If you have a linux, macOS or wsl shell handy you can check like this:

% dig +short default._bimi.paypal.com TXT

"v=BIMI1; l=https://www.paypalobjects.com/marketing/web/logos/paypal.svg; 
a=https://www.paypalobjects.com/marketing/web/logos/paypal_com.pem"Code language: PHP (php)

(“default” is the default BIMI selector. You need to see a BIMI using email to know for sure which selector is being used, but “default” is a good guess as it’s, well, the default.)

Check the result from dig and copy the URL from the a= field, then use curl, openssl1 and grep to find the issuer. It’s a one-line command, ignore the line breaks.

curl -s https://www.paypalobjects.com/marketing/web/logos/paypal_com.pem 
| openssl x509 -text -noout | head

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:4b:c5:28:85:8a:de:27:ba:f4:6a:01:1f:78:37:ba
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert, Inc., CN=DigiCert Verified Mark RSA4096 SHA256 2021 CA1
        Validity
            Not Before: Jun 12 00:00:00 2024 GMT
            Not After : Jul  3 23:59:59 2025 GMTCode language: JavaScript (javascript)

You can see that PayPal is using a BIMI certificate that was issued by DigiCert on June 12th, 2024.

(You can also send an email to https://aboutmy.email/ and see details about the BIMI certificate in use on the BIMI tab).

  1. If you’re on a mac you won’t have the openssl tool by default, but it’s available from HomeBrew, amongst other places. Grab a copy, it’s often useful. ↩︎

Related Posts

Apple MPP

You’ve probably heard about Apple Mail Privacy Protection. Email marketing chat has been all a-twitter about it since it was announced in June.

Read More

Google accounts breached

Over 1 million Google accounts breached by Android malware.
There are some folks I know who really can’t understand why I stick with Apple over Android. The above issue is a big one. Doing what we do, security is a major consideration. I don’t need my accounts, or other accounts I have access to, compromised. It’s not that Apple is 100% compromise proof, but there are more checks and balances in the pipeline.
On the deliverability front, I had a recent interaction with someone from iCloud. This is a colleague I’ve worked with for years now, following him through multiple job changes. A client was having some delivery issues with a shared IP, so I was asking if he could send me some data to help track down the problem customer. I have a habit of asking for subject lines when I’m trying to get data. It’s usually enough for an ESP to track down the problem, and they’re not a way for folks to track down spamtraps or recipients. The answer I got back was sorry, they couldn’t give me any information at all, even something minor like a subject line.
Apple takes user privacy seriously and are doing a lot to protect their users. Does that mean I spend too much money on hardware I could buy cheaper? Perhaps. But, I’ll pay a little more to work with a company that puts privacy at the center of their product suite.

Read More

Apple MPP reporting and geolocation

A while back I wrote about Apple Mail Privacy Protection, what it does and how it works. Since MPP was first announced I’d assumed that it would be built on the same infrastructure as iCloud Private Relay, Apple’s VPN product, but hadn’t seen anything from Apple to explicitly connect the two and didn’t have access to enough data to confirm it independently.

Read More