RE: Certificate profile for Biometrics information.

["Ebbe Hansen" <e_hansen@xxxxxxxxxxx>]

Steve,

I would consider storing of a biometrics "digest" (sometimes also called a
template) to be the minimum biometrics information that could be included in
a certificate (possible in an Attribute Certificate). Type of biometrics
(finger, iris, facial, etc), "digest/template" algorithm, etc. could also be
useful. I just learned the XML working group already has a draft out (Ref.
http://www.oasis-open.org/committees/xcbf/#documents).

For individuals and/or organizations that are concerned about privacy
issues, one could consider support of an encryption option where selected
"trusted readers" could be enabled using specific session-key tokens,
possibly included (under user or organization control) on the same
smart-card that holds the certificate(s) with the biometrics extension(s).

Ebbe

-----Original Message-----
From: Stephen Kent [mailto:kent@xxxxxxx]
Sent: Monday, November 04, 2002 10:34 AM
To: Ebbe Hansen
Cc: ietf-pkix@xxxxxxx
Subject: Re: Certificate profile for Biometrics information.

>I am looking for biometrics profile-definitions on how biometrics reference
>information may be encoded and embedded into X.509 certificates (Public Key
>Certificates as well as Attribute Certificates). The only
>"biometrics-data-extension" I have found so far is included in RFC 3039 as
>the "biometricInfo" extension.
>
>Are there other biometrics profiles that have been defined at this time?
>
>Regards Ebbe Hansen

Ebbe,

Many sorts of biometric info are inappropriate to place in a cert,
due to concerns about disclosure of that info, e.g., to enable off
line guessing attacks. This, in part, is why we don't have any
extension defined for this purpose. Could you explain in more detail
what sort of biometric info you envision storing in certs, and how it
would be used?  That might help us better understand what might be
appropriate.

Thanks,

Steve