seanthegeek · October 28, 2024 02:40 · Oct 28, 2024 · Oct 28, 2024 · Oct 28, 2024
diff --git a/README.md b/README.md
@@ -40,4 +40,5 @@ The `opwnssl` CLI tool can be used to verify a certificate. The certificate is p
 
 > openssl verify -CAfile MVACAs.pem -untrusted 56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.pem
  56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.pem
+>
 > 56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.pem: OK
diff --git a/README.md b/README.md
@@ -36,7 +36,7 @@ To find a VMC URL check for a BIMI record using DNS and look for a value in the
 
 ## Verifying the certificate
 
-The `opwnaal` CLI tool can be used to verify a certificate. The certificate is passed twice because it is both the certificate and the chain. For example:
+The `opwnssl` CLI tool can be used to verify a certificate. The certificate is passed twice because it is both the certificate and the chain. For example:
 
 > openssl verify -CAfile MVACAs.pem -untrusted 56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.pem
  56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.pem

diff --git a/MVACAs.pem b/MVACAs.pem
@@ -0,0 +1,67 @@
+-----BEGIN CERTIFICATE-----
+MIIF3jCCA8agAwIBAgIQBsFnz+v0jTXWJBAYXhHF6zANBgkqhkiG9w0BAQsFADCB
+iDELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxDTALBgNVBAcTBExlaGkxFzAV
+BgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t
+MScwJQYDVQQDEx5EaWdpQ2VydCBWZXJpZmllZCBNYXJrIFJvb3QgQ0EwHhcNMTkw
+OTIzMTIxMjA2WhcNNDkwOTIzMTIxMjA2WjCBiDELMAkGA1UEBhMCVVMxDTALBgNV
+BAgTBFV0YWgxDTALBgNVBAcTBExlaGkxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMu
+MRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMScwJQYDVQQDEx5EaWdpQ2VydCBW
+ZXJpZmllZCBNYXJrIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQDawvvIO7cL04ptZxgLw/YwqDuluiFsMvGsr+vZcfq5c3hKuX0uMrslza91
+OFB6SPmbkG2hLErOcaVH0nMnG0RE3AM6dpfhw7qU+n3c6XPS7HlO9ZC57GJeaOXy
+b0cmcK2G96WC/VRuB1ZgjqYoq6PP4yjn/DB/Pc+7kjwJ2EDH5BFEnywVq4rH1a+Q
+AbVDpxJfCfQZV1VKW+JNtO/KKKX+NlPrtHroSgKiRZ019oWptImyfgpg7j6FNNAT
+R8uPsvU5zYJyCDOxKv4MqllMJmUVwGUHF61WnbiZeJsxzb5H5wMpikX4mfdKaIm0
+ym2QsHVRazST1bIVvAZThcKPd2EnysQi6XpYpMcpiSRo58ENXZW47M/Ocu7mBCLP
+TJEPEC9YG2aCfHxFSz/n6xZR+1rvNPUxcLZ+FNOwZRnHqcqe5TDNQewoC8/AWR0O
+dKqu2WgBF40ncXmtm5QnYhlTmBcoPUWfR40bCLJsm4fV2B4hkC5ZCHV/91jpsv7j
+hsGkpQpY6n9XWBABW6ZGQWM4jXxybbNmb3u21xx8rEkaIh22is08i41xeV9iLYec
+Pup6npZnZbiKSOEFQ3WAwzi3TtABmRknOMybFJKSlJQXMfHqENfwKpNvMMRVO8Pl
+J+Oh6AN8l75vZaFF27gqBhbmjJ2Y9ioqTI7g+Dg4qClUQqXPCQIDAQABo0IwQDAd
+BgNVHQ4EFgQU7G8ipLME4sFjh+Z3Y+pGaU7u/OswDgYDVR0PAQH/BAQDAgGGMA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAC832YLVevVWINnr3vWC
+XNvLPtmPOPLKO5cHupQpkcug+IOli2FAxnC8JDlbOT6hiMK7MYaurag9QvDI/As0
+4cNOa+4sqKCxQR3aLEyyqeLA4WdA6UFIHdMSIzLHZylzjuwciI706x83Ib17DMKO
+cpO2QVB7Beqv240TWxKxH21pFZsl44OgI+HcAPDbfJe3PEzwEZKNcKRkMWa/FFu2
+ckQxpTcfZABrarnuRLcSINiodSW7VfxctzegXWM4WmQeutPBOicceV3J4ZVkhthB
+m784vES1DIuDTqT9/iqStBGN8eOGx9qKvjaXT8SdcrP58FpXrtm/xKgtILptxfVT
+042oogQfb2cNahKRSvs0xH3jyhO944t0zMH/bEpRdU36wR1/Fo56zXy2Zv4czMwg
+3Hg7mbAalJvcnBvH+NHPgucQI432XX11K29vz7HuNC7P9yKhxns+MbOQDMDPOhtS
+LUpBmzRNG4+2BZJZyKGqYd+STHisEGYeYCi3MVrwSe2UqcDi9f2UAWVbkDE/YB6/
+e7+C7o6UWkXSU7dzR7FwFsfBHi6EqgIb2e9pINAxdvlc/3E19Ld/GJEtlw7nSdzp
+71eMp5Z48iY54fV2lM/rXogS1R4r3p2oPe9efG0XaJMd0v1gom5Da/khJA7+wjRB
+0wberd/tg3N0dJsSSznZjwYB
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFpDCCA4ygAwIBAgIUdDkAvVsH/GPX6RUEUsibtwFoBGMwDQYJKoZIhvcNAQEN
+BQAwajELMAkGA1UEBhMCVVMxFjAUBgNVBAoMDUVudHJ1c3QsIEluYy4xQzBBBgNV
+BAMMOkVudHJ1c3QgVmVyaWZpZWQgTWFyayBSb290IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gVk1DUjEwHhcNMjEwNTA3MTMzMTQ4WhcNNDAxMjMwMTMzMTQ4WjBq
+MQswCQYDVQQGEwJVUzEWMBQGA1UECgwNRW50cnVzdCwgSW5jLjFDMEEGA1UEAww6
+RW50cnVzdCBWZXJpZmllZCBNYXJrIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
+dHkgLSBWTUNSMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL1S/GJt
+w3EI3J6CcvhFRTpAZUWnTTgj/0n04xEBEZu4bVR8JlYFnadfTm+CLyUkLCU7Ipoq
+Y0D6jDcD2skWuXnSsTeQtiFIDiGJH4c6QWmNXw1mZDlNhLse0q2sfXCxlAlfBr9M
+c2KOrNUFk36Ld6VQEZOb/R1aU/GwbfN0A/8mDQSRoIHlFgWrtqYwORBF8MFqv4a2
+MvE858h6KaKaBy/8TVMuvuYZ32sa1yGHibAP8Kr0YaFHiK+iLJxnJccjyXjzfLMY
+zQ9rt/UuAlHTIXsNJE+ZYo4O3unPMK25lHGenEVRWOZiIVm/Kl/JdxqxETZRDwCS
+KiXlHcXHkFTtvOQRQ5qcR0p1MrgIUzrzVZSqIM9O92q/tOgsKyv+GoTchBVrn57N
+q2EsarFP2zQqLlSC2Z1KTO+c2bjf90BbDL+mlxYycbRfHc5GZ9LXnxmilBSLz5m0
+MGq1uamqC5pkri7V2tDe+Mb3FQcD/yDhaTs7jL/ODv1dYv3OCQ9YzUZtgvWSqzi9
+rHt2yFotR+XM4BB8n3De1QKnFLZB7s469xRUUjFIJ07lOapBTuZWsarECtAWloW0
+uKr0+LLO2nNX3t92qbPcmEu9dI2Z7K94VLZ/ONhVuroPLlzJ36tTP4zLXo5GXaMY
+UnosKa2jkMu4QfII9g8NkHYRmUBk26vnCS2JAgMBAAGjQjBAMB0GA1UdDgQWBBRz
+I1Z7K3hFgJq4wnzMpYY5iyZ4xTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
+AwIBhjANBgkqhkiG9w0BAQ0FAAOCAgEASMtZ53rMG+bDGJbYCCucv9KzqgCL166R
+V9Eq0zQOXITcfVpJmFeBLq/rMzXCOdWNTdPx6yNdeWk6OW5GullwzJhsutiHcryQ
+acDRHEnMf0LodOy2TWLWWonsyctVHa2PtbcViWZ7opctUTmsK6JdMHCAOZHH64Nj
+0Vr0VAaLf/A/fF+ZlU1IbcU1Gi/FBJudrT7YD2ISmIukCv7hsdhAtg9TuOVkWKl0
+gfDadejTU4l5VlT58ofkxg5aAL2XPJf7ywKzgWlWgLpIZWMsn6+7dOiAq7GqsVKN
+zEKTyAc3Hs42hpKtHvZFDGJ3mGVUNPNjEiH7OZ7q1gKB7eysWDcUp+IMLn+nukDo
+JUb9H+TiF0i7Zo+roPyzv+fy2tJuioF9NkVGqqOrfTLxOo10gCM42ba4Mf6PkvC4
+FkkNb7q7OVi6nsO8pUNJ+PagwFyMLp0vqd4aDTUruey7tKz76SM1D6rN9WJFgZsp
+Yj4dKCQPde32Jd9/Sk6G5lHmIbAqqNYLqPRBxByVSBg9+11jMi7e1kIkMQV3wndB
+ntRKjHU8Hd0J/UcK8veLaRR2XECTx0I9I31Fis4Q0cSVz+4oXWGBuaREKEut10q2
+cAWvd1qUOjLlA4LsxKpVMvc+loyIy5s0+IfcqN4GHYjBKK+m+GWs/u2Q4BiKeVxw
+gkWRxBsyYPA=
+-----END CERTIFICATE-----
diff --git a/README.md b/README.md
@@ -0,0 +1,43 @@
+Currently, there only two Mark Verifying Athorities that issue Verified Mark Certificates (VMCs) for use with [BIMI standard](https://bimigroup.org/implementation-guide/): [DigiCert](https://www.digicert.com/tls-ssl/verified-mark-certificates) and [Entrust](https://store.entrust.com/default/vmc.html).
+They provide their customers with certificate chains containing the intermedate certificate and VMC. The root certificates for these certificates are different than the root certificates used fpr browsers.
+
+- [DigiCert root Certificates download page](https://www.digicert.com/kb/digicert-root-certificates.htm)
+- [EnTrust root Certificates download page](https://www.entrust.com/knowledgebase/ssl/entrust-root-certificates)
+
+## Root certificates
+
+DigiCert Verified Mark Root CA
+
+```text
+Expires: 2024-09-23
+Seral number:  06:C1:67:CF:EB:F4:8D:35:D6:24:10:18:5E:11:C5:EB
+SHA1 fingerprint: 74:E1:6E:32:AF:75:C6:CF:51:0A:26:FF:1F:C1:15:80:68:EA:92:3E
+SHA256 fingerprint: 50:43:86:C9:EE:89:32:FE:CC:95:FA:DE:42:7F:69:C3:E2:53:4B:73:10:48:9E:30:0F:EE:44:8E:33:C4:6B:42
+```
+
+[Download link](http://cacerts.digicert.com/DigiCertVerifiedMarkRootCA.crt.pem)
+
+Entrust Verified Mark Root Certification Authority – VMCR1
+
+```text
+Expires: 2040-12-30
+Seral number: 743900bd5b07fc63d7e9150452c89bb701680463
+SHA1 fingerprint: 4A:04:D5:A6:28:0E:98:E6:5C:D4:7F:87:E8:EC:A6:4C:8B:4A:9A:43
+SHA256 fingerprint: 78:31:D9:5A:47:D4:25:08:CD:5C:9E:62:64:F9:09:6B:AC:19:F0:4E:B9:B7:C8:BD:D3:5F:FF:C7:1C:18:96:17
+```
+
+[Download link](https://web.entrust.com/root-certificates/VMRC1.cer)
+
+## Identifying the VMC URL
+
+To find a VMC URL check for a BIMI record using DNS and look for a value in the `a` tag. For example, this is the BIMI record for `chase.com`.
+
+> default._bimi.chase.com. 3600   IN      TXT     "v=BIMI1;l=https://vmc.digicert.com/56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.svg;a=https://vmc.digicert.com/56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.pem"
+
+## Verifying the certificate
+
+The `opwnaal` CLI tool can be used to verify a certificate. The certificate is passed twice because it is both the certificate and the chain. For example:
+
+> openssl verify -CAfile MVACAs.pem -untrusted 56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.pem
+ 56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.pem
+> 56fc8a64-c1ec-48b1-9f70-ae068ebbe8d0.pem: OK