OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xcbf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xcbf] Schema changes

When I attended the Digital ID World conference, I had a chance to
talk to some folks working on a US DOD requirement to place an
X9.84:2001 BiometricObject in an X.509 AttributeCertificate or
Certificate extension. The idea was that since they could map some
simple BioAPI objects into a value of type BiometricObject that they
could then encode the beast using the X9.84 ASN.1 schema in DER.

So, after some discussions with the folks doing the revisions to X9.84,
I decided to design the following and add it to the ASN.1 schema. If
doesn't really affect XCBF directly, but it might open up some usage
possibilities for XCBF tools. I was asked when doing this work to
support X9.68 compressed domain certificates as well, as this it
appears will soon be approved work in ISO TC68.

For the X.509 extension object, I decided on the following:

biometricTemplates EXTENSION ::= {
  SYNTAX         EncodedBiometricObjects  -- DER or cXER --
  IDENTIFIED BY  x509-biometricTemplates

  &ExtnType }

Here, the EncodedBiometricObjects is the familiar type from XCBF.
This complete encoding of a value of type BiometricObjects (a series
of one or more values of type BiometricObject) will be wrapped in
X.509 in an "octet hole" - that is this encoding will become the "value"
component of a Tag-Length-Value OCTET STRING.

When an application fully decodes the extension payload they will get
a hex blob. To determine whether this blob contains the complete DER
encoding of a value of type BiometricObjects, the first octet will need
to be checked. If it is a hex 30 then the encoding is DER. If it is the
"<" character, then the encoding is cXER. If neither, then it is either a
PER encoding or an error.

For the X9.68 domain certificate extension object, I decided on the

domainBiometricTemplates PRIVATE ::= {
  NAME  oid : x968-biometricTemplates
  TYPE  EncodedBiometricObjects  -- DER or cXER --

  &name  Identifier  UNIQUE,
WITH SYNTAX { NAME &name [TYPE &Type] }

Identifier ::= CHOICE {
  oid  OBJECT IDENTIFIER,  -- complete object identifier
  id   RELATIVE-OID        -- object identifier fragment

Part of how I achieve significant compression in the X9.68 format is by
not doing the octet hole wrapping of extension payloads. So the value of
type BiometricObjects will appear in whatever encoding rule is being
applied to the DomainCertificate as a whole.

I'll update the web site with this shortly.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC