Is there? Could you give some examples of email providers that wouldn't comply with a legal request?
Protonmail, from what I understand, does contest the requests it receives, but some they have to follow. My impression is that this would be true for any provider.
Thousands and thousands of dollars for a BIMI certificate is just ludicrous.
Certificates are certificates are certificates.
They're 1KB files full of random numbers. What you use them for shouldn't alter their price... which ought to be zero.
The facts that a handful of near-monopolistic CAs have managed to control protocols, set standards, and generally funnel money into their coffers that need not have been spent at all is one of the worst examples of naked capitalistic greed I have ever seen.
From what I can see, it is the very same CAs who used to peddle normal certificates (and are currently mostly failing to sell EV certificates) who are now desperately trying to save their business by pivoting to convince businesses that VMC certificates are the new big thing.
> Thousands and thousands of dollars for a BIMI certificate is just ludicrous.
VMCs are between 800 and 1500 USD
> Certificates are certificates are certificates.
The x509 certificate is, but the process to verify your ownership of the supplied 'mark' (your logo) is not.
The VMC issuing procedure is very involved, it requires the CA to confirm with your local trademark office that your company owns the trademark. For VMC the CA is also required to verify (by phone) that the person who requested the VMC does indeed work for the company, they are also required to verify that the person who requested to certificate is allowed by the organization to do so.
The CAs are actually doing work here, there are real costs.
FWIW: Digicert currently sells VMC for a discounted price of 800USD, which they claim is not even economically viable. Without the discount expect VMCs to be ~1500USD.
No public database with all trademarks exists. And even if it does: who is going to maintain that public database? And how would you be able to trust said database?
How will you proof that you really are the legal owner of the logo in that database?
Again, the 'renew' click is not why this is expensive. It's just a cryptographic function that signs a bunch of data, Lets Encrypt has long proven that certificates can be created free-of-charge.
However, having a human verifying that everything checks out is the expensive part. Having that human work in an environment, following procedures that passes public audits is expensive.
None of the trademark offices is going to do your trademark validations for free. No-one is going to staff a call-centre for free.
You are right about the technical part of creating a certificate being trivially easy, but I believe you truly underestimate the costs of running a CA that is capable of delivering VMCs.
Maybe that some company can do it for less than the current prices, I don't know. Competition will show that eventually.
But if you truly think that you can do it for less than the current CAs, then start a CA yourself and start competing.
You need to be registered with the national patent and trademark office in one of six participating countries. These databases are financed and maintained almost entirely by the brand owners. You as a brand owner need to do your own research to make sure that your logo is original, then you pay to be entered into the database, then you need to continuously audit any new entries into these databases to make sure that they don't infringe on your existing trademark.
So you provide the CA with an trademark ID number that they can look up and they verify that you represent the company that owns the trademark. It's like 10 minutes on top of the existing EV process, but it's more than double the price.
