Accessing/selecting biometrics was: Stray Poll: Finger-prints in QCs

["Anders Rundgren" <anders.rundgren@xxxxxxxxxx>]

Tony, 

Slight comment on a thing of importance that you mention 

<snip> 

>Someone mentioned that the hash is sufficient, since the actual
>data could just "tag along" with the cert, if required. But there
>needs to be a standard even for this kind of operation. Is there?


This was the original QC solution. As you noted (and I have told the 
authors several times) this is a half-made solution. A genuine example 
of poor engineering! 


Then somebody sad: Why not add an URI (option) to hold the actual data. 
Hooray!  Problem solved!   Is it? The idea behind this and the first suggestion 
is probably that the user in some mysterious way is supposed to select 
if he/she is going to give his/her biometrics away. Q: How do you do that 
with the URI-solution? I have never received an answer this! 


So I proposed that you include biometrics in a "biometric cert" and use the 
mechanism already featured in browsers (although biometrics will seldom be used 
in that environment) - certificate selection. The same solution can be applied 
to any "privacy-depriving" certificate. 

         http://www.mobilephones-tng.com/papers/idcards.html 


My bet is: Only really stupid QC implementers will use the current QC scheme for 
biometrics as they are unlikely to be supported by the large SW manufacturers 
as this part is currently simply not ready for use. But of course there is a market 
for proprietary solutions where this fits very nicely... 

Anders