Virtual Face to Face Meetings for ID-check John Kewley Jens Jensen UK eScience CA

Virtual F2Fs Why are virtual F2Fs desirable? Virtual F2Fs for Re-Applications Virtual F2Fs for New requests Conclusions Proposal

Why Virtual F2Fs? The requirement to visit your local RA Operator is one which can be a hurdle for new personal certificate requests for users at large (especially distributed) sites. Maintaining a large RA Operator network can be problematic. Being able to meet over a video link would be a major improvement

Video ID checks In the following circumstances being able to do a Video ID check would be preferable from the usability point of view (we’ll worry about LoA/security later): Bootstrapping a New RA There are no longer any RA Operators at a site User doesn’t work at the same site and rarely visits the site the RA Op is based at. For very small sites it would reduce the requirement for having a separate RA, and training the RA Operators.

When Virtual F2Fs? There are 2 cases for which a virtual meeting can be considered for a personal certificate: PhotoID check for a Re-Application PhotoID check for a New certificate

What is a Re-Application? A Re-Application is the process of obtaining a personal certificate when you have previously held one with the same DN, but are not able to do a renew/rekey: Previous certificate has expired sufficiently long ago that it is outside any “grace” period [30 days for UK eScience CA] Previous certificate was revoked So, basically the same as a New request except the RA Op already has a photocopy of the original PhotoID and MUST NOT issue a certificate with the same DN unless (s)he can guarantee that the requestor is the same person as in the original.

Re-Application by Video For a Video meeting, the following would seem to give a similar LoA to that obtained by a physical face to face meeting: The meeting is over a high quality video (at least sufficient to easily see/read the PhotoID The PhotoID should be the SAME one as used originally, and hence should match the photocopy in the RA records. Applicant informs RA Op of the request ID, and the PIN of the CSR. Additional “evidence” needs recording: e.g. a screenshot of the PhotoID on which the RA Op writes the request number. Therefore the RA Op can see the face of the person in the video meeting; it is the same face as on the photocopy in the records; the matching PhotoID is clearly in the hands of the applicant; and there is evidence that the CSR about to be approved was requested by this person.

So how about NEW requests? Most of the above written about Re-Application applies, but for a NEW request you need to identify more security features on the PhotoID. Such security features may vary from ID to ID so suitable training in what is appropriate needs to be taught. Also, using Staff IDs is unlikely to be sufficient. It also implies that the video link must be of a very high quality.

Asserted copy The main difference between the requirements for a re-application F2F video meeting and that of a new application is proving that the PhotoID is genuine. One way to assert this would be for the requestor to take their PhotoID to an appropriate person (for instance a notary public) to copy, sign and stamp and then post direct to the CA. This could then be used in parallel with the video meeting.

Conclusions The provision of an appropriate Virtual F2F meeting for PhotoID checking would be a major improvement to the processes of many CAs. While we believe it is possible to ensure an appropriate level of assurance for a re-application, it would be considerably harder to do that for an initial application, at least without something else such as an asserted copy of that PhotoID.

Proposal We should encourage CAs to accept Re-applications over video link now and feed back any issues they find. We should allow video F2F meetings for new requests if accompanied by a trusted asserted copy of the PhotoID. At the next PMA meeting we should have a demo of how good an ID check you can do over HQ video-link is in the absence of an asserted copy of the PhotoID.