Daon comments on draft BOPS TC charter

["Tilton, Cathy" <Cathy.Tilton@daon.com>]

OASIS –

 

Please find Daon’s comments on the proposed Biometric Open Protocol Standard (BOPS) TC below.  We are pleased to see an ongoing interest within OASIS regarding the area of biometric technology and its standardization.  We also appreciate the opportunity to provide feedback on the draft charter of the proposed BOPS TC.

 

Regards,

CT

 

----------------------------

COMMENTS

 

1.       We are pleased to see continuing interest within OASIS in the area of biometrics.  We are wondering, however, if this project might be better placed within the existing OASIS Biometrics TC?

2.       The first 7 paragraphs of the Statement of Purpose provide background information to aid in understanding the problem and are therefore useful for this purpose.  After that, the discussion becomes a bit confusing.

3.       It is unclear exactly what is proposed to be standardized.  Is it:

a.       A biometric <web> server API?*

b.      An authentication protocol?

c.       A security mechanism?

*Please note the existence of the Biometric Identity Assurance Services (BIAS) standard (INCITS 442, OASIS BIAS SOAP Profile, ISO/IEC 30108) which could be leveraged for this purpose.

4.       (1)(b) paragraph 5 mentions mobile devices and (1)(c) mentions Android/iPhone as client devices.  Does the target architecture include any client or just mobile clients? (Note:  A conceptual architecture diagram would be helpful.)

5.       It is not clear what the target component(s) is with respect to protection/security.  Is it biometric data in transit or at rest or both?  Intrusion detection is also mentioned, but it is not clear how this relates.  Is auditing a BOPS capability or is this merely meant to be supported by the BOPS interface?

6.       In the Scope section, the charter indicates that BOPS is to be language/implementation neutral, but then says it is to be built upon OpenSSL, Java, JSON, REST, and Apache Solr.  Does this mean that BOPS will be specified independent of language but that bindings will be provided for each of these?

7.       Under Deliverables, the first subparagraph of paragraph 1 appears to equate liveness detection and intrusion detection which is misleading.  Further, it implies that BOPS will be server based, but then discusses security features of biometric devices (sensors) associated with anti-spoofing mechanisms.  Is this intended to mean that the BOPS API will support transmission of liveness information? (Note:  You may wish to consult/reference ISO/IEC 30106, Presentation Attack Detection, in progress, for more information if BOPS is indeed intended to address this area.)

8.       (1)(f) Audience “guarantees” risk mitigation.  It is recommended to use less provocative language.

9.       (2)(a) mentions ISO as a potential liaison/source of similar work.  Please see a list of potentially relevant project within ISO/IEC JTC1 SC37 below.

 

In addition to OASIS, Daon participates in the work of ISO/IEC JTC1 SC37 subcommitee on biometrics.  As such, we would like to draw your attention to some of the work of SC37 that could both help inform the work of the new BOPS TC as well as potentially be leveraged within the resulting BOPS protocol (i.e., as either an informative or normative reference).  In particular, within the SC37 portfolio of biometric standards and technical reports are the following:

 

·         ISO/IEC DIS 30108, Biometric Identity Assurance Services (BIAS).  This standard, nearing publication, is an international version extending the work of INCITS 442 (also the basis for the existing OASIS BIAS SOAP profile).  This standard defines a set of operations for invoking biometric services over a service oriented framework.

·         ISO/IEC TR 30125 Biometrics used with mobile devices. . This technical report provides guidance for developing a consistent and secure method of biometric (either alone or supported by non-biometric) personalization and authentication in a mobile environment.

·         ISO/IEC 19794, Biometric data interchange formats.  This multi-part standard specifies the format of biometric data records for various biometric modalities, including binary and (in progress) XML formats, to support interoperability among biometric systems and components.  Formats to date include fingerprint (image, minutiae, pattern/spectral & skeletal), face, iris, signature/sign (time series and processed dynamic data), vascular, hand geometry, DNA and fusion information.

·         ISO/IEC 19785, Common Biometric Exchange Formats Framework.  This standard defines a metadata structure for exchanging biometric data.  The OASIS BIAS SOAP Profile specifies a CBEFF XML format instantiation.

·         ISO/IEC 29794, Biometric sample quality.  This standard defines the format for the exchange of quality metrics.  Modality specific metrics are defined as individual parts.

·         ISO/IEC 19795, Biometric performance testing and reporting.  This standard defines the methodology and measurements associated with biometric performance evaluation (e.g., accuracy).

·         ISO/IEC TR 24722, Technical report on multi-modal and other multi-biometric fusion.  This report provides a description of and analysis of current practice on multimodal and other multibiometric fusion.

·         ISO/IEC WD 30107, Presentation attack detection.  This in-progress three-part standard addresses terminology, data format, and performance testing and reporting associated with liveness/spoofing and other attacks when a fake biometric is presented at the sensor.

We believe that to be effective, the development of any biometric authentication protocol should consider such things as interoperability, performance, security, and industry best practices.  We hope that by providing the above references, the BOPS TC will be better informed about resources available to enhance the capability of its specification.