Full disclosure - I also Google Trust Services. This email is in my personal capacity.
There are a few reasons I personally think it's not a useful change, some of which include:
1. Reliance on the "work email" domain to signal the author is authorized to speak on behalf of the organization would be problematic. Maybe it is the janitor and not someone in an administrative or technical role associated with the CA.
2. If one was to make this a requirement it seems it would be natural to go even further and say the address should be under the domain used for CAA, which of course does not work in many cases, which then limits the value (see #1).
3. There are people who work in a CA that are in fact affiliated with the operations of the associated CA but are neither authorized to speak on the behalf of the organization nor have the context to effectively answer questions on behalf of the CA.
4. The root programs would not take action against a CA on the basis of an email or email address alone and have registered contacts that they engage with for administrative issues and questions and this could not replace this.
5. The people representing a CA change over time and anchoring on individuals rather than an organization is problematic as a result.
6. This forum is most useful when it is a place where anyone can come and answer questions even if not associated with a CA, or if they are associated with a CA and seeking clarifications on ambiguity.
I agree. There should be strong identity and authorization requirements. These are people that are ultimately being trusted GLOBALLY by billions of people.
What's fascinating to me is that to get a BIMI logo for email there are much more stringent identity verification requirements than for the root CA's getting into the root CA program.
I've actually done this process, it's actually really easy if you're operating properly, e.g. trademark registered, have someone sufficiently empowered do the process (e.g. a C level exec) or they authorize someone lower (e.g. me), the C level or myself goes to a public notary choosen by the BIMI provider to sign the docs, and the notary sends it in (I've been through the process). So there is strong proof that
1) the company signing up for BIMI has the legal right to the trademark
2) the person applying is authorized on behalf of the company
3) the person applying is actually the person applying
4) a trusted third party (a public notary) is used to reduce the chances of shenanigans (e.g. signing paperwork, notarizing it, the notary sends it in so there's less chance for me to go alter the paper work and then send it in)
Looking at the root CA requirement there is nothing here, in fact:
the word "identity" only occurs once, and there's no mention of validating the identity or authorization of the people involved in the process. Quit the opposite, I see several people in the community arguing in favour of throw away Gmail addresses.
It does seem reasonable to expect people to disclose affiliations and make it clear if they are speaking on behalf of their organizations though.
Agreed, it would also be a good idea for them to also prove they work for those organizations that they claim to represent (easily done via email if you have SPF/DKIM/DMARC setup, and these are CA's, they should be able to do security, right?), and are authorized to do so (ideally they should have some public reference that makes it clear that they're not just some random intern or the janitor).
Ryan Hurst