I sent to the CA/B group proposed 2 validation possibilities: 1: Either that you must supply BOTH passport and ID card in MRTD format. This is a method that was used by StartSSL to prevent using stolen ID card documents to aquire a certificate. The tought behind this is that if you pickpocket someone on the street, you are only gonna get EITHER passport or ID card, thus not being able to do full validation. (StartSSL didn't require electronic ID cards however, it was fine with a scanned driver's license, but the intention behind "at least TWO ID documents" was to curb theft of ID documents since they didn't do any face scan or live validation via webcam meeting) Locking this to only electronic ID documents (NFC readable passport and ID card) makes it even more secure.
2: Or a biometric automated face scan. I personally think both are okay to validate someone's identity. Its something that can be discussed in the CA/B group how to do really securely. Requiring two subsuquent validations with a specific time period - lets say at least 48 hours between, can also increase security, as it increases the time an thief must maintain control of the ID documents, and thus risking getting caught or the ID documents being blocked by the government because the owner reported them stolen. Best regards, Sebastian Nielsen -----Ursprungligt meddelande----- Från: Andrew C Aitchison via mailop <[email protected]> Skickat: den 19 november 2025 18:51 Till: Sebastian Nielsen via mailop <[email protected]> Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? On Wed, 19 Nov 2025, Sebastian Nielsen via mailop wrote: > I feel it should be very feasible as with a good vectorization tool > you can actually get a good output as you see here: > https://sebbe.eu/bimi/face.svg > > And to gurantee genuineness and facilitate fully automated > validation (which drives down the prices of the certificates) the > passport picture can be extracted from a MTRD or a "national ID > card" ('passport in credit card format') and then if a good > normalization algoritm and vectorization algorim is applied to > convert the passport picture to the SVG, then the CA can be sure > that the picture is correct without having to visually compare the > face pictures with each other. How long would I need to borrow a machine readable travel document for in order to get a personal certificate with someone's face on it ? > Which makes fully automated validation a possibility with a mobile > app, NFC and a MRTD. Sorry, are you automating the issuing of a personal certificate, or using it to verify that the person in front of you is the certificate holder (or the passport-holder) ? When I last used my passport for online my phone looked at me and my passport under multiple lighting conditions. Unless the CA does the same, I fear a reduction in security. > The algoritm has to however, be able to automatically add > optimizations to the color profile to ensure the resultant SVG is > below 32 kB. > > -----Ursprungligt meddelande----- > Från: Al Iverson via mailop <[email protected]> > Skickat: den 19 november 2025 17:26 > Till: Mailing List <[email protected]> > Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? > > And separately, I'll put this on the wish list of stuff that I'll > bring up in discussions with others in the BIMI Group. I love the idea > of a "personal mark certificate," though I don't know how feasible it > is. I'm in the same boat as you, in that I'm not really a company, but > I'd love to implement BIMI as broadly as possible. > > Cheers, > Al Iverson > > On Tue, Nov 18, 2025 at 4:02 PM Todd Herr via mailop <[email protected]> > wrote: >> >> On Tue, Nov 18, 2025 at 4:44 PM Sebastian Nielsen via mailop >> <[email protected]> wrote: >>> >>> Is there a way to send suggestions to CA/B forum to implement a personal >>> VMC certificate? >>> >>> >> >> According to https://cabforum.org/about/email-lists/, Questions from the >> public may be submitted by email to the Questions list at >> [email protected]. >> >> -- >> Todd >> >> _______________________________________________ >> mailop mailing list >> [email protected] >> https://list.mailop.org/listinfo/mailop > > > > -- > > Al Iverson // 312-725-0130 // Chicago > http://www.spamresource.com // Deliverability > http://www.aliverson.com // All about me > https://xnnd.com/calendar // Book my calendar > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop > -- Andrew C. Aitchison Kendal, UK [email protected] _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
