Well Sebastian you clearly know the technical specifications at a level far deeper than I do. That's not where I was heading. Sorry if I wasn't clear.
The key point of my post was less on how the scans/verifications get done technically, and more that if you need to verify identity for a personal BIMI certificate, there are secure and well-established combined identity document and facial scan-based workflows, so no need to reinvent the wheel there. Best of luck on your personal BIMI certificate initiative. BTW, in a recent conversation I had with one of the BIMI Working Group members, I was told that the primary reason for BIMI was to motivate larger companies that care about their brand identity (and which send a lot of email, and which are attractive to bad actors as companies to spoof) to deploy DMARC faster. Regards, Mark -- _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs Winner of the Zimbra Americas VAR Partner of the Year - Two Years Running ! ----- Original Message ----- | From: "Sebastian Nielsen via mailop" <[email protected]> | To: "Mailing List" <[email protected]> | Sent: Wednesday, November 19, 2025 3:38:21 PM | Subject: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? | Wrong. The passport scan uses something called NFC, 13.56 MHz. | | You scan the 2 data lines (called the MRZ). Scanning the MRZ is just for | convience, it would be as secure as if you keyed in the MRZ on the phone's | keyboard. | You can also key in the number written as "CAN" on the passport, which acts as a | "PIN code" to unlock the passport. | | The MRZ or CAN, is then used to calculate a decryption key, (PACE) which are | then used to "authenticate" against the NFC chip inside the passport. | This authentication, is to prevent someone from scanning your passport through | the pocket or bag. | | The NFC chip contains all the information visible on the passport, including | picture and signature. | | This information, is then signed, using a certificate, which is signed by your | country (government). | Also on the passport, there is a second certificate, signed by the passport's | certificate, for which the NFC chip possess the private key. (this certificate | is DIFFERENT from the certificate used to sign the passport details). | This second certificate, can then be used to perform challenge-response | validation against the passport by asking the passport to sign a random blob of | data to gurantee it has not been duplicated into 2 identical passports. | | This is an extremely secure process, that makes it impossible to send in a | fraudulent passport for validation. | If you want to try out this process for yourself, try this app: | https://play.google.com/store/apps/details?id=nl.innovalor.nfciddocshowcase | | | | -----Ursprungligt meddelande----- | Från: L. Mark Stone via mailop <[email protected]> | Skickat: den 19 november 2025 21:27 | Till: Mailing List <[email protected]> | Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? | | FWIW, | | The (mobile) apps I've used which require a passport and a facial photograph | require the user, in the mobile app, first to use the app to scan the passport | (like when doing a mobile deposit of a check) and then immediately thereafter, | use the mobile device's camera to take a selfie. | | The passport scan to my understanding includes verification of reflective and | other anti-fraud features of most passports, so no possibility of using a | pre-existing photo of one's passport (I tried, as I didn't have my passport | handy but keep a photo of it that I printed out). | | The selfie scan requires you to move your face up, down and around in a circle, | so no possibility of using a pre-existing photo of a face with a stolen | passport. | | The app's Mothership then compares the passport scan to the facial photograph | and says pass or fail. | | I had to do this when signing up for Clear for example. Same workflow when I | took my AWS certification exams remotely. Seems standard. | | Regards, | Mark | | -- | _________________________________________________________________ | L. Mark Stone, Founder | North America's Leading Zimbra VAR/BSP/Training Partner | For Companies With Mission-Critical Email Needs | Winner of the Zimbra Americas VAR Partner of the Year - Two Years Running ! | | ----- Original Message ----- || From: "Sebastian Nielsen via mailop" <[email protected]> || To: "Mailing List" <[email protected]> || Sent: Wednesday, November 19, 2025 1:19:54 PM || Subject: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? | || I sent to the CA/B group proposed 2 validation possibilities: || || 1: Either that you must supply BOTH passport and ID card in MRTD format. This is || a method that was used by StartSSL to prevent using stolen ID card documents to || aquire a certificate. || The tought behind this is that if you pickpocket someone on the street, you are || only gonna get EITHER passport or ID card, thus not being able to do full || validation. || (StartSSL didn't require electronic ID cards however, it was fine with a scanned || driver's license, but the intention behind "at least TWO ID documents" was to || curb theft of ID documents since they didn't do any face scan or live || validation via webcam meeting) || Locking this to only electronic ID documents (NFC readable passport and ID card) || makes it even more secure. || || 2: Or a biometric automated face scan. || || I personally think both are okay to validate someone's identity. || Its something that can be discussed in the CA/B group how to do really securely. || || Requiring two subsuquent validations with a specific time period - lets say at || least 48 hours between, can also increase security, as it increases the time an || thief must maintain control of the ID documents, and thus risking getting || caught or the ID documents being blocked by the government because the owner || reported them stolen. || || Best regards, Sebastian Nielsen || || || -----Ursprungligt meddelande----- || Från: Andrew C Aitchison via mailop <[email protected]> || Skickat: den 19 november 2025 18:51 || Till: Sebastian Nielsen via mailop <[email protected]> || Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? || || On Wed, 19 Nov 2025, Sebastian Nielsen via mailop wrote: || ||> I feel it should be very feasible as with a good vectorization tool ||> you can actually get a good output as you see here: ||> https://sebbe.eu/bimi/face.svg ||> ||> And to gurantee genuineness and facilitate fully automated ||> validation (which drives down the prices of the certificates) the ||> passport picture can be extracted from a MTRD or a "national ID ||> card" ('passport in credit card format') and then if a good ||> normalization algoritm and vectorization algorim is applied to ||> convert the passport picture to the SVG, then the CA can be sure ||> that the picture is correct without having to visually compare the ||> face pictures with each other. || || How long would I need to borrow a machine readable travel document for || in order to get a personal certificate with someone's face on it ? || ||> Which makes fully automated validation a possibility with a mobile ||> app, NFC and a MRTD. || || Sorry, are you automating the issuing of a personal certificate, or || using it to verify that the person in front of you is the certificate || holder (or the passport-holder) ? || || When I last used my passport for online my phone looked at me and my || passport under multiple lighting conditions. Unless the CA does the || same, I fear a reduction in security. || ||> The algoritm has to however, be able to automatically add ||> optimizations to the color profile to ensure the resultant SVG is ||> below 32 kB. ||> ||> -----Ursprungligt meddelande----- ||> Från: Al Iverson via mailop <[email protected]> ||> Skickat: den 19 november 2025 17:26 ||> Till: Mailing List <[email protected]> ||> Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? ||> ||> And separately, I'll put this on the wish list of stuff that I'll ||> bring up in discussions with others in the BIMI Group. I love the idea ||> of a "personal mark certificate," though I don't know how feasible it ||> is. I'm in the same boat as you, in that I'm not really a company, but ||> I'd love to implement BIMI as broadly as possible. ||> ||> Cheers, ||> Al Iverson ||> ||> On Tue, Nov 18, 2025 at 4:02 PM Todd Herr via mailop <[email protected]> wrote: ||>> ||>> On Tue, Nov 18, 2025 at 4:44 PM Sebastian Nielsen via mailop <[email protected]> ||>> wrote: ||>>> ||>>> Is there a way to send suggestions to CA/B forum to implement a personal VMC ||>>> certificate? ||>>> ||>>> ||>> ||>> According to https://cabforum.org/about/email-lists/, Questions from the public ||>> may be submitted by email to the Questions list at [email protected]. ||>> ||>> -- ||>> Todd ||>> ||>> _______________________________________________ ||>> mailop mailing list ||>> [email protected] ||>> https://list.mailop.org/listinfo/mailop ||> ||> ||> ||> -- ||> ||> Al Iverson // 312-725-0130 // Chicago ||> http://www.spamresource.com // Deliverability ||> http://www.aliverson.com // All about me ||> https://xnnd.com/calendar // Book my calendar ||> _______________________________________________ ||> mailop mailing list ||> [email protected] ||> https://list.mailop.org/listinfo/mailop ||> ||> _______________________________________________ ||> mailop mailing list ||> [email protected] ||> https://list.mailop.org/listinfo/mailop ||> || || -- || Andrew C. Aitchison Kendal, UK || [email protected] || || _______________________________________________ || mailop mailing list || [email protected] || https://list.mailop.org/listinfo/mailop | _______________________________________________ | mailop mailing list | [email protected] | https://list.mailop.org/listinfo/mailop | | _______________________________________________ | mailop mailing list | [email protected] | https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
