Let's Encrypt style automation will be necessary with a large
userbase, and even with a small userbase it will be very helpful.
How do you envision the DNS records being set up? Should there be
one DNS record for each user, or a shared DNS record with some sort
of a cryptographic fingerprint that validates all users within the
given domain?
> I have sent this to Digicert and Entrust in a hope of creating a simple
> certification BIMI process for individuals.
> If this process becomes standardized, it could gain the same traction as Lets
> Encrypt and eventually become free.
>
> Remember how StartSSL had cheap code signing and SSL wildcard certicates for
> individuals?
>
> *******************************************************************
> I have a product suggestion, which is some sort of VMC / BIMI for individuals.
> That could make use of a cheap and fully automated validation process, which
> could then have a very low price, as no human needs to be involved to verify
> an association, business or trade mark.
>
> Here is my idea on how it could work:
> 1: You go to the app store and download a specific app - "Digicert VMC for
> Individuals" or "Entrust VMC for Individuals", Or you both could collaborate
> on a joint app regardless of where the certificate is purchased.
> 2: You scan a QR code on-screen.
> 3: You scan your own passport or national ID card with your NFC scanner on
> phone.
> 4: This will extract all data from the passport and validate it against the
> country signer certificate (ICAO certificate).
> 5: Then the face picture is extracted from the passport/ID card, validated,
> and then put into a SVG converter.
> 6: You then use sliders on-screen to control how the JPEG/JPEG2000->SVG
> conversion process behaves, to make the face picture look as good as
> possible. The sliders maximum and minimum values must of course be limited to
> prevent individuals to produce images that are too vague to be a true
> identification, but on the other hand allow enough customization so very
> hairy, beardy or pimply people doesn´t generate too huge SVG files and look
> good visually without too much SVG dithering.
> 7: After you are satisfied with the picture, you complete the purchase, and
> then you are given the generated SVG picture and PEM certificate to use in
> the a= parameter of BIMI record.
>
> Since the CA is responsible to generate the SVG in this case, the process can
> be completely and fully automated, which means the price can be very cheap or
> low, like lets say about 50EUR per certificate, which will be valid until the
> passport´s or ID card´s expiration time.
> Or lets say 20EUR per year, but maximum certificate length is until the
> passport or ID card expires.
> By having the CA do the JPEG/JPEG2000 to SVG conversion based on the
> electronic passport picture which is validated from ICAO signature, theres no
> need for a face comparision process or biometric face identification, as the
> process is sourced from the face picture thus, its not possible to cheat or
> fake the process in any way.
>
> In addition, SMIME certificates for individuals with full identity validation
> could be provided in a similar fully automated way with the same form of NFC
> scanning app.
> In this case, the data from passport is used to fill in all applicable fields
> on a certificate.
> Since the data from passport is already signed by ICAO certificate, its not
> possible to cheat or fake the data in any way.
> *******************************************************************
>
>
> Hopefully, a good process for both SMIME and BIMI could be created, which
> requires no manual or human check, be fully automated, and pose no security
> consequences for the email world.
> Since the validation data would be sourced from a instance that already is
> vetted with a ICAO certificate, it could become a very secure solution, with
> no risk of fraudulent certificates.
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
