Online certification check?

  • Is there a page where one can put the UUID of a certificate and get something like "John Foo - Certified specialist - passed the exam on 01.12.1994"?

    I think it could be useful, and moreover relax the problem of waiting for the printed certificate -- Nokia could just send people the UUID by email immediately.

  • Online look-up is a good idea, but not that straightforward to get done. We have to be careful concerning privacy. I expect there are people who do not like to be publicly listed nor looked up. Nevertheless, we have an online check on our "wish list" or better to say "do next when time allows" list. (PS. UUID is printed on the certificate. So it does not help to resolve this chicken-n-egg problem...)

  • It would help, it would just not be a complete solution. If you add in sending a PDF version of the certiciate by email (or, even simpler, just a confirmation email that also contains the UUID; as suggested by peppe), then you would indeed solve the issue of non-arriving or very late certificates. However, as you say, there are privacy issues involved.

    Not sure how to solve that. If the ID is hard enough to guess (non-sequential would be a good start) and some precautions taken to limit the number of invalid UUID's that can be looked up, then I think it would be reasonable to have such a lookup service. Perhaps that email could even contain a link that enables the owner of the certicicate to enable and disable him being listed on that page?

  • I think when seen as a verification service this could comply with privacy concerns. There might be additional requirements added like besides the UUID, the name and the issue date has to be specified and the return value is just valid / invalid.

    One might assume that as soon as I publish the UUID of the certificate (for example to a prospective employer) along with personal data I comply with using this data to verify the exam.

  • We originally were thinking of something like this:

    1. There is a mask, where one can enter you NQT ID and a field for an email address to send the query results to, plus a captcha field.

    2. When the form has been submitted. The person with that NQT ID gets an email saying that somebody asked to send his/her exam results to the email address XYZ. If it is ok, please select this link.

    3. If the link is clicked an email send to the address XYZ. Saying something like "we confirm that John Doe with NQT ID has passed following exams: YYY, ZZZ"

    So if you like to have confirmation sent to somebody, you just give that person your NQT ID and the link for the query.

    The same system could be used to build up a public directory of all people how like to be listed on our web as certified developers/specialists.

    Again, this is just an idea. Unfortunately, we currently do not have any time to start working on this. But if there is enough demand, priorities can change...

  • Sounds reasonable.

  • Sounds very complicated to me. The main drawback is that the time it takes to get an anwer from the service depends on the time the owner of the certificate takes to reply to the confirmation message. That could take a long time (if it happens at all), depending on many factors: time differences, travel, problems with internet access, false positive in spam filters, etc. All the while, the owner of the certificate would not know about this issue, because he did not initiate the query.

    Sounds like a bad design to me, to be honest. Sure, it does allow the owner of the certificate to control who gets a response to a validation query, but I wonder if that level of control is really needed. To me, it would be sufficient if:

    I get an email when the certificate is issued with a link that allows me to enable or disable external lookup of the validity of the certificate. Perhaps it could be used to change the attached mail address too?

    The certificate validation service asks for the UUID and some other piece of data (email address perhaps?)

    If the certificate owner has agreed to being listed as in the service and has a valid certificate, the user of the service immediately sees the "Yes, we confirm the validitiy of this certificate" on the screen.

    If the certificate owner did not agree to the listing, there is no certificate for the user, or the UUID/other piece combination is incorrect, the service displays a message that it could not verify, but that that does not mean that the owner does not have a certificate.

    The service only allows a certain number of queries for invalid UUID/<other data piece> tuples before it starts to deny service.

    For me, that would be save enough: I as a certificate owner have control if I get listed at all, and the service is protected against automatic harvesting reasonably well.

  • I agree with Andre. A random UUID plus a captcha are enough to avoid "brute force attacks" (if any). Having the online lookup configurable is a nice plus.

    Maybe I'm a bit naive, but I don't actually see many privacy issues... what's exactly the problem in having Nokia to confirm that the certificate with id XYZ belonging to John Doe is authentic?

Log in to reply