Hacker News new | past | comments | ask | show | jobs | submit login

Controversial and technically dubious. The whole premise of the BIMI standard hinges on the adoption of X.509 certificate authorities which will issue certificates (called “VMC”) for a graphical logotype. However, the laws regarding trademarks are restricted in many scopes; legal juristictions and business area (trademark “class”), to name a couple. No VMC issuer could really do anything sensible with similar trademarks which are registered by multiple entities in different juristictions and/or different business areas. The best-case scenario is that huge players like FAANG, CNN, etc. get VMC certificates and the rest of us get nothing. Which is, I guess, why the big players are toying with the idea and are, slowly, tentatively, pushing for it.



and financially scandalous


Thousands and thousands of dollars for a BIMI certificate is just ludicrous.

Certificates are certificates are certificates.

They're 1KB files full of random numbers. What you use them for shouldn't alter their price... which ought to be zero.

The facts that a handful of near-monopolistic CAs have managed to control protocols, set standards, and generally funnel money into their coffers that need not have been spent at all is one of the worst examples of naked capitalistic greed I have ever seen.

Rent seeking, pure and simple.


From what I can see, it is the very same CAs who used to peddle normal certificates (and are currently mostly failing to sell EV certificates) who are now desperately trying to save their business by pivoting to convince businesses that VMC certificates are the new big thing.


Your view is very, very naive.

> Thousands and thousands of dollars for a BIMI certificate is just ludicrous.

VMCs are between 800 and 1500 USD

> Certificates are certificates are certificates.

The x509 certificate is, but the process to verify your ownership of the supplied 'mark' (your logo) is not.

The VMC issuing procedure is very involved, it requires the CA to confirm with your local trademark office that your company owns the trademark. For VMC the CA is also required to verify (by phone) that the person who requested the VMC does indeed work for the company, they are also required to verify that the person who requested to certificate is allowed by the organization to do so.

The CAs are actually doing work here, there are real costs.

FWIW: Digicert currently sells VMC for a discounted price of 800USD, which they claim is not even economically viable. Without the discount expect VMCs to be ~1500USD.


People have already paid for an actual trademark. Why should they pay again, to a private company?

Your argument is essentially identical to the arguments usually made to explain why EV certificates are expensive, and nobody is buying those.


Verifying that an SVG image is 100%identical (with zero room for interpretation) to a picture in a public database (available online free of charge)?

And then clicking 'renew' once per year?

How could you possibly charge less than a thousand dollars for that...


No public database with all trademarks exists. And even if it does: who is going to maintain that public database? And how would you be able to trust said database? How will you proof that you really are the legal owner of the logo in that database?

Again, the 'renew' click is not why this is expensive. It's just a cryptographic function that signs a bunch of data, Lets Encrypt has long proven that certificates can be created free-of-charge. However, having a human verifying that everything checks out is the expensive part. Having that human work in an environment, following procedures that passes public audits is expensive. None of the trademark offices is going to do your trademark validations for free. No-one is going to staff a call-centre for free.

You are right about the technical part of creating a certificate being trivially easy, but I believe you truly underestimate the costs of running a CA that is capable of delivering VMCs.

Maybe that some company can do it for less than the current prices, I don't know. Competition will show that eventually. But if you truly think that you can do it for less than the current CAs, then start a CA yourself and start competing.


You need to be registered with the national patent and trademark office in one of six participating countries. These databases are financed and maintained almost entirely by the brand owners. You as a brand owner need to do your own research to make sure that your logo is original, then you pay to be entered into the database, then you need to continuously audit any new entries into these databases to make sure that they don't infringe on your existing trademark.

So you provide the CA with an trademark ID number that they can look up and they verify that you represent the company that owns the trademark. It's like 10 minutes on top of the existing EV process, but it's more than double the price.


> VMCs are between 800 and 1500 USD

Per domain.

One of my customers has dozens of domain names!


No, it is per brand mark (logo).

The domain names are in the AN section of the cert. You can have as many as you want in there (as long as they share the same logo)




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: