What about IV certificates, via completely automated validation. IV certificates are like OV certificates but contain a individual instead of an organization.
Even if the resulting certificate would have a low validity date for just 90 days, the actual IV validation could be valid in the system for like 1 year, meaning each certbot automated renewal would continue to have the IV validation details until the IV data is expired.
But also with a code cert along with that too, that is valid for 1 year. (Code certs need to have a long validation, as reputation on code certs are based on their hash, a new certificate will “reset” the SmartScreen reputation)
Here is how:
First, you do a normal certbot request, but set a flag that you want a individual certificate.
Then, you both need to do the automated certbot validation, but also a manual passport verification.
And here is how:
Either, you connect an NFC reader to the computer, or you download an app to the phone. This protocol is then completely open-source and anyone can write an passport/ID validation library.
After that, you will have to enter all details required to “unlock” the passport/ID - either by scanning the MRZ or entering passport/ID serial, expiry and birth date.
Then you scan the passport with the mobile phone or NFC reader. All the details will then be transferred to Lets Encrypt.
The requirement on validation could be that the passport may NOT expire any earlier than 1 year from the current date to be valid.
Then Lets Encrypt simply does this validation via an automatic process by validating the signature on the passport data via the “Country signer certificate database” from ICAO, and also doing a dynamic data authentication with the passport to ensure it hasn’t been copied.
Any ID which have an NFC chip whose issuer certificate is in ICAO’s database of country certificates, could be accepted as validation.
And no, its NOT like a photo of a passport. Its digitally signed data from the issuer of the passport, making it completely impossible to fake or spoof in any way, thus I Think the CAB browser forum would accept “automatic passport validation” for individual authentication.
(If scanning the passport in an automated self-checkin passport gate is accepted to immigrate into a country, I don’t Think its a problem to issue a certificate on that data)