I envision this being a system for individual domains, ergo non-corporate domain owners. For domains with a few users, then it would require a DNS record per user yes.
For domains with many users, then it would be a corporation owning it, and thus it would bear the logo for the corporation. -----Ursprungligt meddelande----- Från: Randolf Richardson, Postmaster via mailop <mailop@mailop.org> Skickat: den 15 januari 2024 02:46 Till: Mailop <mailop@mailop.org> Ämne: Re: [mailop] Displaying logos Let's Encrypt style automation will be necessary with a large userbase, and even with a small userbase it will be very helpful. How do you envision the DNS records being set up? Should there be one DNS record for each user, or a shared DNS record with some sort of a cryptographic fingerprint that validates all users within the given domain? > I have sent this to Digicert and Entrust in a hope of creating a simple > certification BIMI process for individuals. > If this process becomes standardized, it could gain the same traction as Lets > Encrypt and eventually become free. > > Remember how StartSSL had cheap code signing and SSL wildcard certicates for > individuals? > > ******************************************************************* > I have a product suggestion, which is some sort of VMC / BIMI for individuals. > That could make use of a cheap and fully automated validation process, which > could then have a very low price, as no human needs to be involved to verify > an association, business or trade mark. > > Here is my idea on how it could work: > 1: You go to the app store and download a specific app - "Digicert VMC for > Individuals" or "Entrust VMC for Individuals", Or you both could collaborate > on a joint app regardless of where the certificate is purchased. > 2: You scan a QR code on-screen. > 3: You scan your own passport or national ID card with your NFC scanner on > phone. > 4: This will extract all data from the passport and validate it against the > country signer certificate (ICAO certificate). > 5: Then the face picture is extracted from the passport/ID card, validated, > and then put into a SVG converter. > 6: You then use sliders on-screen to control how the JPEG/JPEG2000->SVG > conversion process behaves, to make the face picture look as good as > possible. The sliders maximum and minimum values must of course be limited to > prevent individuals to produce images that are too vague to be a true > identification, but on the other hand allow enough customization so very > hairy, beardy or pimply people doesn´t generate too huge SVG files and look > good visually without too much SVG dithering. > 7: After you are satisfied with the picture, you complete the purchase, and > then you are given the generated SVG picture and PEM certificate to use in > the a= parameter of BIMI record. > > Since the CA is responsible to generate the SVG in this case, the process can > be completely and fully automated, which means the price can be very cheap or > low, like lets say about 50EUR per certificate, which will be valid until the > passport´s or ID card´s expiration time. > Or lets say 20EUR per year, but maximum certificate length is until the > passport or ID card expires. > By having the CA do the JPEG/JPEG2000 to SVG conversion based on the > electronic passport picture which is validated from ICAO signature, theres no > need for a face comparision process or biometric face identification, as the > process is sourced from the face picture thus, its not possible to cheat or > fake the process in any way. > > In addition, SMIME certificates for individuals with full identity validation > could be provided in a similar fully automated way with the same form of NFC > scanning app. > In this case, the data from passport is used to fill in all applicable fields > on a certificate. > Since the data from passport is already signed by ICAO certificate, its not > possible to cheat or fake the data in any way. > ******************************************************************* > > > Hopefully, a good process for both SMIME and BIMI could be created, which > requires no manual or human check, be fully automated, and pose no security > consequences for the email world. > Since the validation data would be sourced from a instance that already is > vetted with a ICAO certificate, it could become a very secure solution, with > no risk of fraudulent certificates. > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, British Columbia, Canada https://www.inter-corporate.com/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop