[xcbf] Re: Biometric XML Standard (Web Services)

[Phil Griffin <phil.griffin@asn-1.com>]

There is work just now started in this area in two
OASIS TCs, the XML Common Biometric Format (XCBF) 
http://oasis-open.org/committees/xcbf/ TC and WSS, Web
Services Security http://oasis-open.org/committees/wss/
TC. I've already begun work defining a web service for
biometrics using WSDL and the XCBF schema. But the new
WSS seeks to define a generic web services security
mechanism.

Since this topic involves the data integrity, data privacy
and authentication of origin of biometrics information, it
will likely be coordinated by the Security Joint Committee
http://oasis-open.org/committees/security-jc/.

XCBF provides a common XML format for both BioAPI 1.1 and
the X9.84 Biometric Information Management and Security
standard, currently being revised by X9F4. The latest X9.84
schema is available at http://asn-1.com/x984index.html.

This revision, called X9.84:2002, has been adopted by the
OASIS XCBF group as the schema for their XML markup, and
tool kits are starting to emerge that support both compact
binary encodings of X9.84 messages and the XML representations
used in XCBF (http://asn-1.com/EncodeBiometricSyntaxSets.htm).

XCBF provides a means of securing biometric information
represented using XML. It provides a standard way to
secure both X9.84 BiometricObjects and BioAPI BIR. This
is done using XML versions of the familiar Cryptographic
Message Syntax types used today for secure email. The
X9.84:2002 revision adopts the XML cryptographic
processing defined in XCBF, and both XCBF and X9.84:2002
fully align with the fields in BioAPI 1.1 BIR.

Note that the BioAPI standard does not address many issues
that are addressed in the X9.84/XCBF data security standards.
It provides no mechanism or guidance for key management, no
algorithm independent mechanism for the identification of
cryptographic algorithms and associated parameters, and no
means for the identification and use of public key certificates,
to name just a few. In contrast, the X9.84 and XCBF standards
provide all of this.

Phil Griffin


Jon Baer wrote:

> Hello,
> 
> I am kinda stuck @ what is the actual standard in regards to exchanging
> fingerprint, images, voiceprints, etc over the web to interact with a
> secure SOAP/XML-RPC based web service.  It seems to me that there are
> about 4 different things going on, anyone care to say which is the
> leading edge?  BioAPI1.1?
> 
> Also it seems that part of HTTP basic authentication which would move
> from user/pass based to biometric based would need to be rewritten into
> part of the HTTP 1.1 protocol or be plug-in based and working with the
> server correctly to authenticate, in which case I have seen items work
> via a plug in on IE (ActiveX control), via the object tag but nothing in
> a neutral fashion which would suggest if you wanted to biometrically
> control certain webpage in an enterprise setting that you would need to
> be uniform in your browser and server settings.  Is this correct?
> 
> Thanks.
> 
> - Jon
> 
> 
> -------------------------------------------------------------------
> The preceding was forwarded by the Biometric Consortium's Electronic
> Discussion Group.  Any opinions expressed here do not necessarily
> reflect those of the Biometric Consortium.  Further distribution
> is prohibited.
> 
> Problems and questions regarding this list should be sent to
> BIOMETRICS-request@PEACH.EASE.LSOFT.COM.
> 
> To remove your name from this list please send the command
> "SIGNOFF BIOMETRICS" to <LISTSERV@PEACH.EASE.LSOFT.COM>.  Please
> do not send the "SIGNOFF BIOMETRICS" command to the BIOMETRICS list.
> 
> To update membership information (new e-mail address etc.), please send
> a message to <bailey@biometrics.org> providing the updated information.
> -------------------------------------------------------------------
>