[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: QC's - for human eyes only?
It looks like there is a consensus on the fact that Biometric data
is no good for remote authentication, therefore there would be no need
for putting QC's in directories. Instead, the QC owner would hold it in
a smartcard, or something similiar.
Consider the following Scenerio:
Alice runs some service which requires authentication through biometrics.
Bob comes to Alice and presents his smartcard with his QC on it. Alice
takes Biometric measurements of Bob and checks his QC to authenticate
him. Now there are two possibilities:
1. The QC includes a hash and URI of the biometrics - Alice securely
accesses the URI and retrieves Bob's biometrics.
2. The QC includes Bobs biometrics - Alice gets the biometrics from the
QC.
In both cases Alice, and only Alice, is given Bob's biometrics. If Bob
trusts Alice to keep this data secret then there is no problem. If he
doesn't trust her then he shouldn't have given her the smartcard in the
first case.
Currently there are no definitions of the secure access of the URI, so
this might be an opening for malicious people to fraudulantly retrieve
the biometrics from the URI. Therefore, as I see it, the URI option is
the one where privacy is more breachable.
It seems to me that most postings here with privacy concerns are
actually against the whole concept of the QC and the linking of
biometric data to individuals. Once QC's have been agreed upon it
looks like both options - hash+URI and Biometrics on the QC, are
conceptualy identical.
------------------------------------------------------------------------
Ilan Shacham mailto:ilans@arx.com
Algorithmic Research Ltd. http://www.arx.com
10 Nevatim St., phone: 972 - 3 - 9279540
Petach-Tikva, Israel Fax: 972 - 3 - 9230864
> -----Original Message-----
> From: ghilborn@csc.com [mailto:ghilborn@csc.com]
> Sent: Tuesday, December 07, 1999 12:55 AM
> To: ietf-pkix@imc.org
> Subject: Re: QC's - for human eyes only?
>
>
>
>
> Consider the distinction between *identification* and
> *authentication*.
> Something makes a good identifier if it points uniquely to
> what it identifies.
> Something makes a good authenticator if it is hard for the
> wrong entity to
> generate it. If a "secret" authenticator is shared between
> too many parties
> (e.g., SSN, mother's maiden name) it no longer makes a very
> good authenticator.
>
> What is the nature of a biometric? A problem for biometrics
> is that if multiple
> systems know and authenticate me by a my fingerprint data, is
> that data still a
> good authenticator? If the comparison is static, the answer
> would be "no" for
> the same reason as SSNs, etc. are poor. But if they also use
> an effective
> "liveness" test against static reference data, then the
> reference fingerprint
> data really serves as an identifier and the "liveness" test
> mechanism really
> serves as the authenticator. In that case what's the problem
> with including my
> fingerprint data in a certificate?
>
> I think the real worry about including a biometric in a
> certificate is the
> potential for privacy invasion, because the biometric in
> effect becomes an
> unchangeable universal identifier - exactly the same concern
> now about SSNs
> being attached to all your records, permitting easy dossier
> compilation.
>
> A static hash doesn't solve the privacy problem because that
> hash itself just
> serves as the universal identifier.
>
> IMO, the best thing to do with a biometric in connection with
> PKI is to put it
> into a hardware token that protects one's private key
> corresponding to the
> public key in a certificate. Then it serves as a private
> user-to-key-device
> authenticator which is not shared outside that environment.
> No reference to the
> biometric content is needed in the certificate for this use.
> This use of
> biometrics is (1)highly secure (assuming a trusted channel
> between biometrics
> reader and key device) and (2) not a threat to privacy.
>
> -Gene Hilborn
>
>
>
>
> lmartin@cylink.com on 12/06/99 03:17:57 PM
>
> To: ietf-pkix@imc.org
> cc: (bcc: Gene Hilborn/DEF/CSC)
> Subject: Re: QC's - for human eyes only?
>
>
>
> If putting biometric data in a certificate is "bad," what
> about putting a
> hash of it?
>
> Or should this type of information be more appropriately stored in a
> directory?
> ----- Original Message -----
> From: Tony Bartoletti <azb@llnl.gov>
> To: Eric Murray <ericm@lne.com>; Ilan Shacham <ilans@arx.com>
> Cc: Ietf-Pkix (E-mail) <ietf-pkix@imc.org>
> Sent: Monday, December 06, 1999 11:05 AM
> Subject: Re: QC's - for human eyes only?
>
>
> > At 09:00 AM 12/05/1999 -0800, Eric Murray wrote:
> >
> > >However putting a biometric in a certificate is like
> putting your Social
> > >Security Number and mother's maiden name in a certificate- it would
> > >allow anyone who receives the certificate to be able to use those
> > >irrevocable identifiers to impersonate you. So biometric
> data should
> > >only be sent encrypted in a session key, if it's ever sent at all.
> >
> > This is why "irrevocables" should never be relied upon as
> identifiers.
> >
> > I intend to publish my own photographs, fingerprints,
> retinal scans and
> > DNA traces to public fora, precisely to diminish reliance
> upon them as
> > evidence of "me"! I hope to start a global movement...
> >
> > Seriously, my philosophic problem with biometrics is that, while the
> > "body" is somewhat of a constant, the "person" is not,
> especially with
> > respect to time and circumstance. Yet (undo) reliance upon
> biometrics
> > tends to reinforce the notion of "once an X, always an X". That is,
> > it will encourage the limitation of "trust" calculations to
> constants.
> >
> > ___tony___
> >
> > Tony Bartoletti LL
> > IOWA Center LL LL
> > Lawrence Livermore National Laboratory LL LL LL
> > PO Box 808, L - 089 LL LL LL
> > Livermore, CA 94551-9900 LL LL LLLLLLLL
> > phone: 925-422-3881 fax: 925-423-8081 LL LLLLLLLL
> > email: azb@llnl.gov LLLLLLLL
> >
>
>
>
>
>