[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: QC's - for human eyes only?
Consider the distinction between *identification* and *authentication*.
Something makes a good identifier if it points uniquely to what it identifies.
Something makes a good authenticator if it is hard for the wrong entity to
generate it. If a "secret" authenticator is shared between too many parties
(e.g., SSN, mother's maiden name) it no longer makes a very good authenticator.
What is the nature of a biometric? A problem for biometrics is that if multiple
systems know and authenticate me by a my fingerprint data, is that data still a
good authenticator? If the comparison is static, the answer would be "no" for
the same reason as SSNs, etc. are poor. But if they also use an effective
"liveness" test against static reference data, then the reference fingerprint
data really serves as an identifier and the "liveness" test mechanism really
serves as the authenticator. In that case what's the problem with including my
fingerprint data in a certificate?
I think the real worry about including a biometric in a certificate is the
potential for privacy invasion, because the biometric in effect becomes an
unchangeable universal identifier - exactly the same concern now about SSNs
being attached to all your records, permitting easy dossier compilation.
A static hash doesn't solve the privacy problem because that hash itself just
serves as the universal identifier.
IMO, the best thing to do with a biometric in connection with PKI is to put it
into a hardware token that protects one's private key corresponding to the
public key in a certificate. Then it serves as a private user-to-key-device
authenticator which is not shared outside that environment. No reference to the
biometric content is needed in the certificate for this use. This use of
biometrics is (1)highly secure (assuming a trusted channel between biometrics
reader and key device) and (2) not a threat to privacy.
-Gene Hilborn
lmartin@cylink.com on 12/06/99 03:17:57 PM
To: ietf-pkix@imc.org
cc: (bcc: Gene Hilborn/DEF/CSC)
Subject: Re: QC's - for human eyes only?
If putting biometric data in a certificate is "bad," what about putting a
hash of it?
Or should this type of information be more appropriately stored in a
directory?
----- Original Message -----
From: Tony Bartoletti <azb@llnl.gov>
To: Eric Murray <ericm@lne.com>; Ilan Shacham <ilans@arx.com>
Cc: Ietf-Pkix (E-mail) <ietf-pkix@imc.org>
Sent: Monday, December 06, 1999 11:05 AM
Subject: Re: QC's - for human eyes only?
> At 09:00 AM 12/05/1999 -0800, Eric Murray wrote:
>
> >However putting a biometric in a certificate is like putting your Social
> >Security Number and mother's maiden name in a certificate- it would
> >allow anyone who receives the certificate to be able to use those
> >irrevocable identifiers to impersonate you. So biometric data should
> >only be sent encrypted in a session key, if it's ever sent at all.
>
> This is why "irrevocables" should never be relied upon as identifiers.
>
> I intend to publish my own photographs, fingerprints, retinal scans and
> DNA traces to public fora, precisely to diminish reliance upon them as
> evidence of "me"! I hope to start a global movement...
>
> Seriously, my philosophic problem with biometrics is that, while the
> "body" is somewhat of a constant, the "person" is not, especially with
> respect to time and circumstance. Yet (undo) reliance upon biometrics
> tends to reinforce the notion of "once an X, always an X". That is,
> it will encourage the limitation of "trust" calculations to constants.
>
> ___tony___
>
> Tony Bartoletti LL
> IOWA Center LL LL
> Lawrence Livermore National Laboratory LL LL LL
> PO Box 808, L - 089 LL LL LL
> Livermore, CA 94551-9900 LL LL LLLLLLLL
> phone: 925-422-3881 fax: 925-423-8081 LL LLLLLLLL
> email: azb@llnl.gov LLLLLLLL
>