> I envision this being a system for individual domains, ergo non-corporate
> domain owners.
> For domains with a few users, then it would require a DNS record per user yes.
That's interesting. It is, of course, easy to automate the addition
of DNS records, one per user, but then I suppose spammers might try
to harvest those records to figure out which eMail accounts are on
the system.
I do think it would be better to use a common key that could be used
to verify multiple signed user images, this way only one DNS record
would need to be published and the user's eMail address could be used
as part of the verification, sort of like how OpenVPN does this (I'm
sketchy on these details, but I'm pretty sure this can be done).
One of the big advantages of publishing just one record (or a few
records representing different groups of users, such as by region,
primary server, department, etc.) is DNS caching.
> For domains with many users, then it would be a corporation owning it, and
> thus it would bear the logo for the corporation.
Drawing a line would be arbitrary. There are some families with
large numbers of children (more than a dozen) that could count for
more users than the total staff at many small companies (e.g., less
than 10 employees). Add to that, non-profit organizations, which
many people might be inclined to consider as a sort of middle-ground.
I think that an arbitrary number of people would make things more
complicated than simply requiring a desigation at the time of
application, such as Family, Non-Profit, Corporation, Government,
Military, Educational Institution, etc.
The best would probably be to just keep it simple with a separate
"Individual" designation.
> -----Ursprungligt meddelande-----
> Från: Randolf Richardson, Postmaster via mailop <mailop@mailop.org>
> Skickat: den 15 januari 2024 02:46
> Till: Mailop <mailop@mailop.org>
> Ämne: Re: [mailop] Displaying logos
>
> Let's Encrypt style automation will be necessary with a large userbase,
> and even with a small userbase it will be very helpful.
>
> How do you envision the DNS records being set up? Should there be one
> DNS record for each user, or a shared DNS record with some sort of a
> cryptographic fingerprint that validates all users within the given domain?
>
> > I have sent this to Digicert and Entrust in a hope of creating a simple
> > certification BIMI process for individuals.
> > If this process becomes standardized, it could gain the same traction as
> > Lets Encrypt and eventually become free.
> >
> > Remember how StartSSL had cheap code signing and SSL wildcard certicates
> > for individuals?
> >
> > *******************************************************************
> > I have a product suggestion, which is some sort of VMC / BIMI for
> > individuals.
> > That could make use of a cheap and fully automated validation process,
> > which could then have a very low price, as no human needs to be involved to
> > verify an association, business or trade mark.
> >
> > Here is my idea on how it could work:
> > 1: You go to the app store and download a specific app - "Digicert VMC for
> > Individuals" or "Entrust VMC for Individuals", Or you both could
> > collaborate on a joint app regardless of where the certificate is purchased.
> > 2: You scan a QR code on-screen.
> > 3: You scan your own passport or national ID card with your NFC scanner on
> > phone.
> > 4: This will extract all data from the passport and validate it against the
> > country signer certificate (ICAO certificate).
> > 5: Then the face picture is extracted from the passport/ID card, validated,
> > and then put into a SVG converter.
> > 6: You then use sliders on-screen to control how the JPEG/JPEG2000->SVG
> > conversion process behaves, to make the face picture look as good as
> > possible. The sliders maximum and minimum values must of course be limited
> > to prevent individuals to produce images that are too vague to be a true
> > identification, but on the other hand allow enough customization so very
> > hairy, beardy or pimply people doesn´t generate too huge SVG files and look
> > good visually without too much SVG dithering.
> > 7: After you are satisfied with the picture, you complete the purchase, and
> > then you are given the generated SVG picture and PEM certificate to use in
> > the a= parameter of BIMI record.
> >
> > Since the CA is responsible to generate the SVG in this case, the process
> > can be completely and fully automated, which means the price can be very
> > cheap or low, like lets say about 50EUR per certificate, which will be
> > valid until the passport´s or ID card´s expiration time.
> > Or lets say 20EUR per year, but maximum certificate length is until the
> > passport or ID card expires.
> > By having the CA do the JPEG/JPEG2000 to SVG conversion based on the
> > electronic passport picture which is validated from ICAO signature, theres
> > no need for a face comparision process or biometric face identification, as
> > the process is sourced from the face picture thus, its not possible to
> > cheat or fake the process in any way.
> >
> > In addition, SMIME certificates for individuals with full identity
> > validation could be provided in a similar fully automated way with the same
> > form of NFC scanning app.
> > In this case, the data from passport is used to fill in all applicable
> > fields on a certificate.
> > Since the data from passport is already signed by ICAO certificate, its not
> > possible to cheat or fake the data in any way.
> > *******************************************************************
> >
> >
> > Hopefully, a good process for both SMIME and BIMI could be created, which
> > requires no manual or human check, be fully automated, and pose no security
> > consequences for the email world.
> > Since the validation data would be sourced from a instance that already is
> > vetted with a ICAO certificate, it could become a very secure solution,
> > with no risk of fraudulent certificates.
> >
> > _______________________________________________
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
>
>
> --
> Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA -
> rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc.
> Vancouver, British Columbia, Canada
> https://www.inter-corporate.com/
>
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
