To proof-of-human and some UUID you only need valid signature on passport data.

lxgr · 2025-06-25T18:16:47 1750875407

That only proves that a given human exists and was issued a given passport, not that that passport is actually present. For that you do need active or chip authentication, but only the former yields a signature that third parties can validate.

Even then, authorization is completely missing from the ICAO model – it's for authentication of identity documents only. It's explicitly not intended for "proof of humanity", since that requires authorization too, or it'd be vulnerable to any attacker that can briefly tap your identity document with their phone.

That's one of the reasons why active authentication was deprecated, presumably: Signatures without document owner authorization can be misleading/interpreted as confirming intent, not just document existence.

SXX · 2025-06-25T18:23:07 1750875787

To be honest I was thinking more about it more as just measure for anti-spam and limiting bots, but obviously it will only work for certain audiences since in countries like UK like 20-25% of people simply dont hold the passport at all. I can guess in US a lot of people only have driver licenses too.

lxgr · 2025-06-25T18:31:43 1750876303

> I was thinking more about it more as just measure for anti-spam and limiting bots

It won't help with that at all, since without requiring active involvement of some credential or trusted party, all there is is a static signature saying "there's a person called $name born on $dob", but nothing saying "and that person wants to <send an email|register an account|...>".

There is a way to use ICAO documents supporting "Active Authentication" in such a way, and I've seen proofs of concept leveraging it, but it was an unintentional consequence of using RSA signatures for authentication and fixed/removed in newer cards.