Validation using 自然人憑證

[wens]

The idea is to validate and bind one account to one 自然人憑證.

It would be something like having our system send a one time token to the user,
who then signs it with their certificate, and sends it back, along with identifying data
of the certificate (common name + serial number).

The 自然人憑證 should be fetched via MOICA LDAP service ( ldap://moica.nat.gov.tw ),
and validated against MOICA certificate chain and CRL/OCSP.

Additionally, X509v3 Subject Directory Attributes should be validated as follows:

1. Should have object 2.16.886.1.100.2.1 (OID id-chtpki-at-subjectType), and
2. Value of this object should be set to 2.16.886.1.100.3.1.1 (OID id-chtpki-et-citizen) (國民) or 2.16.886.1.100.3.1.9) (OID id-chtpki-et-alienResident) (外國人)

Once validation passes, a unique identifier of the certificate / person should be kept (common name + type (citizen or alienResident) + 2.16.886.1.100.2.51 (身分證末4碼)).

On the server, we might want to do this as a separate microservice, as we might not want to pull in OpenSSL and LDAP dependencies, and also because of the network access.

[robertabcd]

There is also the policy issue on whether the card can be used for such purposes.

[robertabcd]

Card holder may choose not to publish to ldap. See https://moica.nat.gov.tw/faq_in_c_23_34.html third bullet point