On ICAO-approved passports/ID-cards, data must be open for read with parts of MRZ as password, as relying parties should not need to ask a country for permission to read data visible on the printed pages of passport/ID, but permission from passport/ID holder is required. Fingerprint or iris data is however locked and requires a certificate + private key, and requires country permission. Face data does however not require this, face data must be included in the open data. So it could be limited to ICAO-approved passports/ID-cards. There is a ICAO-standard in development where the passport can be "locked" with a PIN-code/password - to prevent spurious reads without passport holder permission, as the MRZ-authentication data used to unlock is easily predicted on some passports, but then this PIN-code/password MUST be supplied to the holder at issue. Static and dynamic data authentication can be done by anyone posessing the ICAO roots for each country, which can be freely downloaded by anyone.This validates the passport hasn't been modified or copied, and has been issued by a approved government. -------- Originalmeddelande --------Från: Philipp Junghannß <[email protected]> Datum: 2017-12-01 15:30 (GMT+01:00) Till: Sebastian Nielsen <[email protected]> Kopia: IETF ACME <[email protected]> Rubrik: Re: [Acme] Idea about automated OV validation well true passports/ID cards are intresting although there's alayes the problem about the access structure and so on. German ID cards for example can only be read with a certificate from a "permission certificate authority", which are most probably selected by the gov and I wouldnt expect those permission certs to come cheap, they also require documentation about how the company handles privacy and so on and so on, add some more countries with their own respective systems into the mix and we have pure chaos. I doubt a non-profit CA like LE could do that well. 2017-12-01 15:21 GMT+01:00 Sebastian Nielsen <[email protected]>: Also could be done by having a interface where you scan your passport with a NFC compatible reader (both mobile phone and desktop NFC reader could be supported) and the government-signed data is uploaded. So automated validation for private IV certs could be done too (IV = Individual certs). So free code signing and IV validated certs. https://community.letsencrypt.org/t/iv-certificates-both-server-and-code-via-automated-nfc-passport-id-validation/44838 Från: Acme [mailto:[email protected]] För Philipp Junghannß Skickat: den 1 december 2017 14:57 Till: Matthias Merkel <[email protected]> Kopia: IETF ACME <[email protected]> Ämne: Re: [Acme] Idea about automated OV validation if that's what other CAs do that's not a bad Idea although there's of course the question whether there are some other manual checks needed. but cheap to almost free OVs/code signing certs would be great although that sadly doesnt make it easier for normal people without a company to get IVs or code signing certs, but the Idea is certainly not bad. 2017-12-01 14:53 GMT+01:00 Matthias Merkel <[email protected]>:I had the following idea about automating verification and issuance of OV SSL certificates: Couldn't a CA in theory use the D&B API to check the company name, address and phone number and then place an automatic call? That's basically what most CAs do anyways so is there any reason why they couldn't do it? That would also be a way for Let's Encrypt to issue OV certificates and code signing certificates. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme _______________________________________________
Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
