but in that thread, supporting VMC was rejected because it requires manual trademark verfication.
Since that thread was closed, CMC (Common Mark Certificates) an alternative that doesn't seem to require manual verification exists. It's still a rip off to get one currently because you still need to go through digicert. So assuming that it's not too technically onerous, does it make sense for letsencrypt to offer CMC certs?
From Minimum Security Requirements for Issuance of Mark Certificates, Version 1.7, Section 3.2.16. Mark Verification in Common Mark Certificates
The CA SHALL verify that:
a Mark that matches the Mark Representation is currently displayed on a website. The
Applicant’s control of the Domain Name of the website MUST be verified using at least one method specified in Section 3.2.14, and
a Mark that matches the Mark Representation was historically displayed at least 12 months earlier than the date of Mark verification on the same Domain Name that was verified as being controlled by the Applicant in (1). The historical display MUST be verified via one of the Archive Webpage Sources allowed by these Requirements.
The CA SHALL also retain a screenshot or other record of the Mark Representation provided by the Applicant and all Mark images found during the verification process stated in the previous paragraph.
This doesn't look like trivial automation. The domain verification is easy, altough they don't approve ACME methods but generally similar to the BRs. However, the a Mark that matches the Mark Representation is currently displayed on a website is rather subjective and would at a minimum require rather complex image processing to automate reliably. You also need to query a website archive with the same verification process to fulfill the 12-month history requirement. Based on the poor performance of the wayback archive in recent times (not their fault), this doesn't look like something that can be reliably automated at a mass-scale.
There's also a bunch of color restrictions in there that looks like a whole lot of legal mumbo jumbo, especially as it mentions that the CA must follow the rules "that apply to Common Marks in the applicable jurisdiction". A can of worms for sure.
We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.
The goal of Let's Encrypt is security. I don't think branding is anything Let's Encrypt is really interested about.
Even if it were technically feasible to automate in a practical manner (which I also doubt), I highly doubt it's worth Let's Encrypts effort as they're just a small team running this entire show.
I'd rather think things like S/MIME would be on their to-do list or something else security related. Not some (IMU) stupid branding hype.
Fair enough, you may be right. My interpretation of this feature was that by making it easier for users to validate email senders, BIMI is about security from phishing and is not just a branding thing.