I have sent this to Digicert and Entrust in a hope of creating a simple certification BIMI process for individuals. If this process becomes standardized, it could gain the same traction as Lets Encrypt and eventually become free.
Remember how StartSSL had cheap code signing and SSL wildcard certicates for individuals? ******************************************************************* I have a product suggestion, which is some sort of VMC / BIMI for individuals. That could make use of a cheap and fully automated validation process, which could then have a very low price, as no human needs to be involved to verify an association, business or trade mark. Here is my idea on how it could work: 1: You go to the app store and download a specific app – “Digicert VMC for Individuals” or “Entrust VMC for Individuals”, Or you both could collaborate on a joint app regardless of where the certificate is purchased. 2: You scan a QR code on-screen. 3: You scan your own passport or national ID card with your NFC scanner on phone. 4: This will extract all data from the passport and validate it against the country signer certificate (ICAO certificate). 5: Then the face picture is extracted from the passport/ID card, validated, and then put into a SVG converter. 6: You then use sliders on-screen to control how the JPEG/JPEG2000->SVG conversion process behaves, to make the face picture look as good as possible. The sliders maximum and minimum values must of course be limited to prevent individuals to produce images that are too vague to be a true identification, but on the other hand allow enough customization so very hairy, beardy or pimply people doesn’t generate too huge SVG files and look good visually without too much SVG dithering. 7: After you are satisfied with the picture, you complete the purchase, and then you are given the generated SVG picture and PEM certificate to use in the a= parameter of BIMI record. Since the CA is responsible to generate the SVG in this case, the process can be completely and fully automated, which means the price can be very cheap or low, like lets say about 50€ per certificate, which will be valid until the passport’s or ID card’s expiration time. Or lets say 20€ per year, but maximum certificate length is until the passport or ID card expires. By having the CA do the JPEG/JPEG2000 to SVG conversion based on the electronic passport picture which is validated from ICAO signature, theres no need for a face comparision process or biometric face identification, as the process is sourced from the face picture thus, its not possible to cheat or fake the process in any way. In addition, SMIME certificates for individuals with full identity validation could be provided in a similar fully automated way with the same form of NFC scanning app. In this case, the data from passport is used to fill in all applicable fields on a certificate. Since the data from passport is already signed by ICAO certificate, its not possible to cheat or fake the data in any way. ******************************************************************* Hopefully, a good process for both SMIME and BIMI could be created, which requires no manual or human check, be fully automated, and pose no security consequences for the email world. Since the validation data would be sourced from a instance that already is vetted with a ICAO certificate, it could become a very secure solution, with no risk of fraudulent certificates. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop