[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New proposed solution to the QC biometric issue

To: Stephen Kent <kent@xxxxxxxxxxx>, "Peter Williams" <peterw@xxxxxxxxxxxx>
Subject: Re: New proposed solution to the QC biometric issue
From: Stefan Santesson <stefan@xxxxxxxxxxx>
Date: Thu, 22 Apr 1999 13:58:29 +0200
Cc: <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

At 01:37 PM 4/19/99 -0400, Stephen Kent wrote:
<snip>

I might be persuaded to provide an OPTIONAL pointer field if more evidence accumulates in favor of such, but it is not in the same category as the other pointers you cite.

Steve,

I have given this quite a thought the last days and I must say that I would favor an OPTIONAL URI pointer.

The rationale is mainly:

1) It doesn't matter from which source the relying party gets the source data (e.g. picture) as long as it does match the hash. So the optional URI are not THE place to get the information, but rather A place to find it. What I mean by this is that there is no conflict if the source data is provided by several means.

2) The authentication process could then be carried out independent of the transaction. I.e. the relying party could verify and display the picture regardless of which protocol the certificate was used and/or presented.

So, what I see before me with a hash AND an optional URI of a picture, is standard clients that automatically displays the picture of the subject when they get hold of a certificate, without having to integrate that process with the corresponding transaction protocol where the certificate is used.

Because if the URI is not allowed, then the process of obtaining the source data will have to be solved by locally defined standards, integrated with some protocol. And that will never be a general standard solution.

Further, since we clearly focus on two types of bio-data (picture and signature image) I would also favor that these types are associated wit a predefined integer value (not needing an OID).

By the reasons above I propose this ASN.1 structure for a bio-data record:

BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBioDataSyntax,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL}

TypeOfBioDataSyntax ::== CHOICE {
predefinedBioType [0] INTEGER,
bioDataOid [1] OBJECT IDENTIFIER }

with the following predefinedBioType defined (so far):
0 picture
1 handwritten signature

Concerning source data format I don't believe that has to be addressed any further.
If an URI are used, then this is solved automatically. If not, this will have to be defined by local conventions. In extreme cases, the OID choice of TypeOfBioDataSyntax should be used to define both type and format.

/Stefan
-------------------------------------------------------------------
Stefan Santesson <stefan@accurata.se>
Accurata Systemsäkerhet AB http://www.accurata.se
Slagthuset Tel. +46-40 108588
211 20 Malmö Fax. +46-40 150790
Sweden Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------

Follow-Ups:
- Re: New proposed solution to the QC biometric issue
  - From: Denis Pinkas

Prev by Date: Re: Delta CRL processing
Next by Date: Re: New proposed solution to the QC biometric issue
Previous by thread: Re: New proposed solution to the QC biometric issue
Next by thread: Re: New proposed solution to the QC biometric issue
Index(es):
- Date
- Thread