FWIW, The (mobile) apps I've used which require a passport and a facial photograph require the user, in the mobile app, first to use the app to scan the passport (like when doing a mobile deposit of a check) and then immediately thereafter, use the mobile device's camera to take a selfie.
The passport scan to my understanding includes verification of reflective and other anti-fraud features of most passports, so no possibility of using a pre-existing photo of one's passport (I tried, as I didn't have my passport handy but keep a photo of it that I printed out). The selfie scan requires you to move your face up, down and around in a circle, so no possibility of using a pre-existing photo of a face with a stolen passport. The app's Mothership then compares the passport scan to the facial photograph and says pass or fail. I had to do this when signing up for Clear for example. Same workflow when I took my AWS certification exams remotely. Seems standard. Regards, Mark -- _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs Winner of the Zimbra Americas VAR Partner of the Year - Two Years Running ! ----- Original Message ----- | From: "Sebastian Nielsen via mailop" <[email protected]> | To: "Mailing List" <[email protected]> | Sent: Wednesday, November 19, 2025 1:19:54 PM | Subject: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? | I sent to the CA/B group proposed 2 validation possibilities: | | 1: Either that you must supply BOTH passport and ID card in MRTD format. This is | a method that was used by StartSSL to prevent using stolen ID card documents to | aquire a certificate. | The tought behind this is that if you pickpocket someone on the street, you are | only gonna get EITHER passport or ID card, thus not being able to do full | validation. | (StartSSL didn't require electronic ID cards however, it was fine with a scanned | driver's license, but the intention behind "at least TWO ID documents" was to | curb theft of ID documents since they didn't do any face scan or live | validation via webcam meeting) | Locking this to only electronic ID documents (NFC readable passport and ID card) | makes it even more secure. | | 2: Or a biometric automated face scan. | | I personally think both are okay to validate someone's identity. | Its something that can be discussed in the CA/B group how to do really securely. | | Requiring two subsuquent validations with a specific time period - lets say at | least 48 hours between, can also increase security, as it increases the time an | thief must maintain control of the ID documents, and thus risking getting | caught or the ID documents being blocked by the government because the owner | reported them stolen. | | Best regards, Sebastian Nielsen | | | -----Ursprungligt meddelande----- | Från: Andrew C Aitchison via mailop <[email protected]> | Skickat: den 19 november 2025 18:51 | Till: Sebastian Nielsen via mailop <[email protected]> | Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? | | On Wed, 19 Nov 2025, Sebastian Nielsen via mailop wrote: | |> I feel it should be very feasible as with a good vectorization tool |> you can actually get a good output as you see here: |> https://sebbe.eu/bimi/face.svg |> |> And to gurantee genuineness and facilitate fully automated |> validation (which drives down the prices of the certificates) the |> passport picture can be extracted from a MTRD or a "national ID |> card" ('passport in credit card format') and then if a good |> normalization algoritm and vectorization algorim is applied to |> convert the passport picture to the SVG, then the CA can be sure |> that the picture is correct without having to visually compare the |> face pictures with each other. | | How long would I need to borrow a machine readable travel document for | in order to get a personal certificate with someone's face on it ? | |> Which makes fully automated validation a possibility with a mobile |> app, NFC and a MRTD. | | Sorry, are you automating the issuing of a personal certificate, or | using it to verify that the person in front of you is the certificate | holder (or the passport-holder) ? | | When I last used my passport for online my phone looked at me and my | passport under multiple lighting conditions. Unless the CA does the | same, I fear a reduction in security. | |> The algoritm has to however, be able to automatically add |> optimizations to the color profile to ensure the resultant SVG is |> below 32 kB. |> |> -----Ursprungligt meddelande----- |> Från: Al Iverson via mailop <[email protected]> |> Skickat: den 19 november 2025 17:26 |> Till: Mailing List <[email protected]> |> Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? |> |> And separately, I'll put this on the wish list of stuff that I'll |> bring up in discussions with others in the BIMI Group. I love the idea |> of a "personal mark certificate," though I don't know how feasible it |> is. I'm in the same boat as you, in that I'm not really a company, but |> I'd love to implement BIMI as broadly as possible. |> |> Cheers, |> Al Iverson |> |> On Tue, Nov 18, 2025 at 4:02 PM Todd Herr via mailop <[email protected]> wrote: |>> |>> On Tue, Nov 18, 2025 at 4:44 PM Sebastian Nielsen via mailop <[email protected]> |>> wrote: |>>> |>>> Is there a way to send suggestions to CA/B forum to implement a personal VMC |>>> certificate? |>>> |>>> |>> |>> According to https://cabforum.org/about/email-lists/, Questions from the public |>> may be submitted by email to the Questions list at [email protected]. |>> |>> -- |>> Todd |>> |>> _______________________________________________ |>> mailop mailing list |>> [email protected] |>> https://list.mailop.org/listinfo/mailop |> |> |> |> -- |> |> Al Iverson // 312-725-0130 // Chicago |> http://www.spamresource.com // Deliverability |> http://www.aliverson.com // All about me |> https://xnnd.com/calendar // Book my calendar |> _______________________________________________ |> mailop mailing list |> [email protected] |> https://list.mailop.org/listinfo/mailop |> |> _______________________________________________ |> mailop mailing list |> [email protected] |> https://list.mailop.org/listinfo/mailop |> | | -- | Andrew C. Aitchison Kendal, UK | [email protected] | | _______________________________________________ | mailop mailing list | [email protected] | https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
