[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Biometric Data not in DOD Certificate [was; Re: Certificateprofile for Biometrics information.]

To: "Phillip H. Griffin" <phil.griffin@xxxxxxxxx>
Subject: Re: Biometric Data not in DOD Certificate [was; Re: Certificateprofile for Biometrics information.]
From: Stephen Kent <kent@xxxxxxx>
Date: Mon, 4 Nov 2002 18:54:06 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <><> <><> <><>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Phil,

I don't think so. I got the idea that it was an on card matching situation
and that it was X.509 certificates, not attribute certificates to be used.
But I'm not involved in the work.

I am an advisor to the Executive Director for the DoD PKI and earlier this completed an analysis of most aspects of this PKI, the one that uses the CAC. I can speak with considerable confidence that this is NOT how it is used today.

I am willing to believe that someone who wants to promote the use of biometrics might be running some pilot somewhere in which this sort of thing is done, storing a template on a card for use in local verification, but it is almost certain that the template is not part of any cert. The cards have a facility to store data for private (i.e., local) application uses such as stored value systems. one could store a template in this fashion, using the controls offered by the Java applets for managing access to such data, so that only a set of authorized readers would be able to get the template.

For biometrics, I see certificate formats as just another package for
the data. I certainly don't envision biometrics becoming part of path
processing for example. And the biometric data components are
often encrypted or otherwise obscured, the details available only to
a given vendor. But header information, such as validity information,
quality or type, are becoming standardized and benefit from being
signed.

There might be some scenarios in which encrypted template data could be carried in a cert and be acceptably protected. The question Russ asked is what are those scenarios. We know of lots of bad ideas on how to store this data in certs and we don't want to condone that.

Note that when we discussed inclusion of biometric data in a cert in the Qualified Certificate RFC, we intentionally limited it to data for verification by a human being, e.g., a photograph, not a fingerprint, voiceprint, etc.

Steve

Follow-Ups:
- Re: Biometric Data not in DOD Certificate [was; Re: Certificate profile for Biometrics information.]
  - From: Tony Bartoletti

References:
- RE: Certificate profile for Biometrics information.
  - From: Ebbe Hansen
- Re: Certificate profile for Biometrics information.
  - From: Phillip H. Griffin
- Biometric Data not in DOD Certificate [was; Re: Certificate profile for Biometrics information.]
  - From: Sam Schaen
- Re: Biometric Data not in DOD Certificate [was; Re: Certificate profilefor Biometrics information.]
  - From: Phillip H. Griffin
- Re: Biometric Data not in DOD Certificate [was; Re: Certificateprofile for Biometrics information.]
  - From: Stephen Kent
- Re: Biometric Data not in DOD Certificate [was; Re: Certificate profile for Biometrics information.]
  - From: Phillip H. Griffin

Prev by Date: Re: Certificate profile for Biometrics information.
Next by Date: Re: Biometric Data not in DOD Certificate [was; Re: Certificate profile for Biometrics information.]
Previous by thread: Re: Biometric Data not in DOD Certificate [was; Re: Certificate profile for Biometrics information.]
Next by thread: Re: Biometric Data not in DOD Certificate [was; Re: Certificate profile for Biometrics information.]
Index(es):
- Date
- Thread