Ilan,
>It seems to me that most postings here with privacy concerns are
>actually against the whole concept of the QC and the linking of
>biometric data to individuals. Once QC's have been agreed upon it
>looks like both options - hash+URI and Biometrics on the QC, are
>conceptualy identical.
Your observation is unfortunately completely correct!
This IMO where you get by starting with ASN.1 instead of an old-fashioned
"requirement specification". A the requirement specification should be on
a level that can be (more or less) interpreted by parties that may not have a
degree in cryptography. Why? Unlike TLS and OCSP, QC is very close to
an "application" and when applications are designed, "users" should be
able to participate. But that's too late now. And many valuable months have
simply passed without any progress and soon the last call is over and things
are still in a partial shape.
QC is not an application. It is a certificate profile. Multiple ways
of making use of QCs are possible, and that is one of the reasons why
we have deferred the question of how to present the biometric
template that is bound to a certificate.