IV certificates (both server and code) via automated NFC passport/ID validation

What about IV certificates, via completely automated validation. IV certificates are like OV certificates but contain a individual instead of an organization.

Even if the resulting certificate would have a low validity date for just 90 days, the actual IV validation could be valid in the system for like 1 year, meaning each certbot automated renewal would continue to have the IV validation details until the IV data is expired.

But also with a code cert along with that too, that is valid for 1 year. (Code certs need to have a long validation, as reputation on code certs are based on their hash, a new certificate will “reset” the SmartScreen reputation)

Here is how:
First, you do a normal certbot request, but set a flag that you want a individual certificate.
Then, you both need to do the automated certbot validation, but also a manual passport verification.

And here is how:
Either, you connect an NFC reader to the computer, or you download an app to the phone. This protocol is then completely open-source and anyone can write an passport/ID validation library.

After that, you will have to enter all details required to “unlock” the passport/ID - either by scanning the MRZ or entering passport/ID serial, expiry and birth date.

Then you scan the passport with the mobile phone or NFC reader. All the details will then be transferred to Lets Encrypt.
The requirement on validation could be that the passport may NOT expire any earlier than 1 year from the current date to be valid.

Then Lets Encrypt simply does this validation via an automatic process by validating the signature on the passport data via the “Country signer certificate database” from ICAO, and also doing a dynamic data authentication with the passport to ensure it hasn’t been copied.

Any ID which have an NFC chip whose issuer certificate is in ICAO’s database of country certificates, could be accepted as validation.

And no, its NOT like a photo of a passport. Its digitally signed data from the issuer of the passport, making it completely impossible to fake or spoof in any way, thus I Think the CAB browser forum would accept “automatic passport validation” for individual authentication.

(If scanning the passport in an automated self-checkin passport gate is accepted to immigrate into a country, I don’t Think its a problem to issue a certificate on that data)

how is a passport related to a domain

how does owning a certain NFC device proove that you can issue certificates for my domains for example


It can be used to validate the identity of the (individual) owner, as OV or EV certs validate the identity of the organizational owner. An issue I see is that anyone who steals the passport can now, even more effectively, steal the passport holder’s identity.

i have a passport with a chip

I then have 17 domains - how does the fact I have passport in anyway relate to domains

Sure I can add a custom record to my domains that is linked to my passport someway cryptographically but then you are just inventing another standard for the sake of it

This isn’t intended to replace domain validation, but provide a higher Assurance status (eg higher validation level) for certificates. Domain validation would still be required in addition.

Currently, EV certificates are not allowed for individuals, only registred companies, but in the future, CAB might open up EV certificates for individuals without a Company, and then this could be a validation method. (Would be pretty nice to have the green bar with your IRL firstname/lastname in it)

Also, this was also suggested as an idea to provide code certificates for free via automated validation aswell.

There is some kind of elaborate identity infrastructure in Estonia that it feels like this might be a good match for. Do you know anyone who works on that? Maybe an Estonian entity could provide a proof of concept for this kind of mechanism. (I’m not mentioning Estonia arbitrarily; they seem to have a huge investment in online electronic identity and digital signatures, and a lot of infrastructure in place.)

I don’t think Let’s Encrypt will pursue this actively right now, but as I suggested in another thread about “automated EV”, it’s not completely impossible in the future if other people provide proofs of concept and work out industry rules to enable it (and I don’t think we want to discourage experimentation with new PKI services in any way!).

In France Too: https://franceconnect.gouv.fr/ [French]

Delegated to third parties. For example, with the postal service, the postman came to your house, ask an official I.D. (Passport or National ID card) and your signature to validate your account.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.