Entrust has BIMI certs which use a different root (CN = Entrust Verified Mark Root Certification Authority - VMCR1) and for which your choices of a BIMI certificate are: Entrust or Digicert. I doubt it makes as much money as their web certs (BIMI certs are not super common, and they are expensive to issue since there's an actual validation process that typically involves a public notary validating the ID of a corporate officer).

If you believe https://bimiradar.com/glob

it looks like Entrust is selling on the order of a few dozen certs a week to maybe upwards of 100-200.

EDIT: I've asked Google if Gmail will be discontinuing support for Entrusts VMC certificate (and thus BIMI logos), I would guess not since BIMI has some actual requirements, but assumptions are not the best way to make decisions about risk (like our BIMI logo not working later this fall).

BIMI is a CA racket.

Email logo validation and prominent display seems like a perfectly valid use case.

See arguments about red-warning unencrypted HTTP and how that pushed the web to update.

Add in that genAI is going to make plausible-looking phishing emails a lot easier for the world to generate en mass, and giving the everyperson something better than "decide if it looks suspicious" is important.

Logos are bound to trademarks, which are split by country and type of business. Anybody could get a BIMI of a duplicate of your logo if they just register a different trademark in some different business (and/or country). Therefore, BIMI does not guarantee what they say they do – logo trustworthiness – and is therefore a scam. If your trademark is not valid and known globally, BIMI does nothing for you. This explains why only huge entities – i.e. with such trademarks – have ever expressed any interest.

A dead giveaway would otherwise have been that the BIMI issuers are all the now-panicking EV certificate issuers, which nobody will now buy.

Warnings on unencrypted HTTP were only feasible after free certificates were widely available. BIMI doesn't have that so yes it's a racket.

Entrust makes a ton of revenue from hardware-related products (for example, printing ID cards), so it is far from the end.

Right up until the next contract renewal. "Not trustworthy enough to secure a basic website" isn't exactly a great look.

Untrusted by Google is what most laypeople will get out of it.

The others will probably follow

Google is still equivalent to the Web for a lot of laypeople.

> I wonder if Entrust can survive this

They've pivoted to payment cards.