Wrong. The passport scan uses something called NFC, 13.56 MHz. You scan the 2 data lines (called the MRZ). Scanning the MRZ is just for convience, it would be as secure as if you keyed in the MRZ on the phone's keyboard. You can also key in the number written as "CAN" on the passport, which acts as a "PIN code" to unlock the passport.
The MRZ or CAN, is then used to calculate a decryption key, (PACE) which are then used to "authenticate" against the NFC chip inside the passport. This authentication, is to prevent someone from scanning your passport through the pocket or bag. The NFC chip contains all the information visible on the passport, including picture and signature. This information, is then signed, using a certificate, which is signed by your country (government). Also on the passport, there is a second certificate, signed by the passport's certificate, for which the NFC chip possess the private key. (this certificate is DIFFERENT from the certificate used to sign the passport details). This second certificate, can then be used to perform challenge-response validation against the passport by asking the passport to sign a random blob of data to gurantee it has not been duplicated into 2 identical passports. This is an extremely secure process, that makes it impossible to send in a fraudulent passport for validation. If you want to try out this process for yourself, try this app: https://play.google.com/store/apps/details?id=nl.innovalor.nfciddocshowcase -----Ursprungligt meddelande----- Från: L. Mark Stone via mailop <[email protected]> Skickat: den 19 november 2025 21:27 Till: Mailing List <[email protected]> Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? FWIW, The (mobile) apps I've used which require a passport and a facial photograph require the user, in the mobile app, first to use the app to scan the passport (like when doing a mobile deposit of a check) and then immediately thereafter, use the mobile device's camera to take a selfie. The passport scan to my understanding includes verification of reflective and other anti-fraud features of most passports, so no possibility of using a pre-existing photo of one's passport (I tried, as I didn't have my passport handy but keep a photo of it that I printed out). The selfie scan requires you to move your face up, down and around in a circle, so no possibility of using a pre-existing photo of a face with a stolen passport. The app's Mothership then compares the passport scan to the facial photograph and says pass or fail. I had to do this when signing up for Clear for example. Same workflow when I took my AWS certification exams remotely. Seems standard. Regards, Mark -- _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs Winner of the Zimbra Americas VAR Partner of the Year - Two Years Running ! ----- Original Message ----- | From: "Sebastian Nielsen via mailop" <[email protected]> | To: "Mailing List" <[email protected]> | Sent: Wednesday, November 19, 2025 1:19:54 PM | Subject: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? | I sent to the CA/B group proposed 2 validation possibilities: | | 1: Either that you must supply BOTH passport and ID card in MRTD format. This is | a method that was used by StartSSL to prevent using stolen ID card documents to | aquire a certificate. | The tought behind this is that if you pickpocket someone on the street, you are | only gonna get EITHER passport or ID card, thus not being able to do full | validation. | (StartSSL didn't require electronic ID cards however, it was fine with a scanned | driver's license, but the intention behind "at least TWO ID documents" was to | curb theft of ID documents since they didn't do any face scan or live | validation via webcam meeting) | Locking this to only electronic ID documents (NFC readable passport and ID card) | makes it even more secure. | | 2: Or a biometric automated face scan. | | I personally think both are okay to validate someone's identity. | Its something that can be discussed in the CA/B group how to do really securely. | | Requiring two subsuquent validations with a specific time period - lets say at | least 48 hours between, can also increase security, as it increases the time an | thief must maintain control of the ID documents, and thus risking getting | caught or the ID documents being blocked by the government because the owner | reported them stolen. | | Best regards, Sebastian Nielsen | | | -----Ursprungligt meddelande----- | Från: Andrew C Aitchison via mailop <[email protected]> | Skickat: den 19 november 2025 18:51 | Till: Sebastian Nielsen via mailop <[email protected]> | Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? | | On Wed, 19 Nov 2025, Sebastian Nielsen via mailop wrote: | |> I feel it should be very feasible as with a good vectorization tool |> you can actually get a good output as you see here: |> https://sebbe.eu/bimi/face.svg |> |> And to gurantee genuineness and facilitate fully automated |> validation (which drives down the prices of the certificates) the |> passport picture can be extracted from a MTRD or a "national ID |> card" ('passport in credit card format') and then if a good |> normalization algoritm and vectorization algorim is applied to |> convert the passport picture to the SVG, then the CA can be sure |> that the picture is correct without having to visually compare the |> face pictures with each other. | | How long would I need to borrow a machine readable travel document for | in order to get a personal certificate with someone's face on it ? | |> Which makes fully automated validation a possibility with a mobile |> app, NFC and a MRTD. | | Sorry, are you automating the issuing of a personal certificate, or | using it to verify that the person in front of you is the certificate | holder (or the passport-holder) ? | | When I last used my passport for online my phone looked at me and my | passport under multiple lighting conditions. Unless the CA does the | same, I fear a reduction in security. | |> The algoritm has to however, be able to automatically add |> optimizations to the color profile to ensure the resultant SVG is |> below 32 kB. |> |> -----Ursprungligt meddelande----- |> Från: Al Iverson via mailop <[email protected]> |> Skickat: den 19 november 2025 17:26 |> Till: Mailing List <[email protected]> |> Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? |> |> And separately, I'll put this on the wish list of stuff that I'll |> bring up in discussions with others in the BIMI Group. I love the idea |> of a "personal mark certificate," though I don't know how feasible it |> is. I'm in the same boat as you, in that I'm not really a company, but |> I'd love to implement BIMI as broadly as possible. |> |> Cheers, |> Al Iverson |> |> On Tue, Nov 18, 2025 at 4:02 PM Todd Herr via mailop <[email protected]> wrote: |>> |>> On Tue, Nov 18, 2025 at 4:44 PM Sebastian Nielsen via mailop <[email protected]> |>> wrote: |>>> |>>> Is there a way to send suggestions to CA/B forum to implement a personal VMC |>>> certificate? |>>> |>>> |>> |>> According to https://cabforum.org/about/email-lists/, Questions from the public |>> may be submitted by email to the Questions list at [email protected]. |>> |>> -- |>> Todd |>> |>> _______________________________________________ |>> mailop mailing list |>> [email protected] |>> https://list.mailop.org/listinfo/mailop |> |> |> |> -- |> |> Al Iverson // 312-725-0130 // Chicago |> http://www.spamresource.com // Deliverability |> http://www.aliverson.com // All about me |> https://xnnd.com/calendar // Book my calendar |> _______________________________________________ |> mailop mailing list |> [email protected] |> https://list.mailop.org/listinfo/mailop |> |> _______________________________________________ |> mailop mailing list |> [email protected] |> https://list.mailop.org/listinfo/mailop |> | | -- | Andrew C. Aitchison Kendal, UK | [email protected] | | _______________________________________________ | mailop mailing list | [email protected] | https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
