Re: QC's - for human eyes only?

[lmartin@xxxxxxxxxx (Luther Martin)]

If putting biometric data in a certificate is "bad," what about putting a
hash of it?

Or should this type of information be more appropriately stored in a
directory?
----- Original Message -----
From: Tony Bartoletti <azb@llnl.gov>
To: Eric Murray <ericm@lne.com>; Ilan Shacham <ilans@arx.com>
Cc: Ietf-Pkix (E-mail) <ietf-pkix@imc.org>
Sent: Monday, December 06, 1999 11:05 AM
Subject: Re: QC's - for human eyes only?


> At 09:00 AM 12/05/1999 -0800, Eric Murray wrote:
>
> >However putting a biometric in a certificate is like putting your Social
> >Security Number and mother's maiden name in a certificate- it would
> >allow anyone who receives the certificate to be able to use those
> >irrevocable identifiers to impersonate you.  So biometric data should
> >only be sent encrypted in a session key, if it's ever sent at all.
>
> This is why "irrevocables" should never be relied upon as identifiers.
>
> I intend to publish my own photographs, fingerprints, retinal scans and
> DNA traces to public fora, precisely to diminish reliance upon them as
> evidence of "me"!  I hope to start a global movement...
>
> Seriously, my philosophic problem with biometrics is that, while the
> "body" is somewhat of a constant, the "person" is not, especially with
> respect to time and circumstance.  Yet (undo) reliance upon biometrics
> tends to reinforce the notion of "once an X, always an X".  That is,
> it will encourage the limitation of "trust" calculations to constants.
>
> ___tony___
>
> Tony Bartoletti                                             LL
> IOWA Center                                              LL LL
> Lawrence Livermore National Laboratory                LL LL LL
> PO Box 808, L - 089                                   LL LL LL
> Livermore, CA 94551-9900                              LL LL LLLLLLLL
> phone: 925-422-3881   fax: 925-423-8081               LL LLLLLLLL
> email: azb@llnl.gov                                   LLLLLLLL
>