>Such signatures are accepted, but not on the basis of there being
>a strong binding. Otherwise, making your mark in the form of
>an X wouldn't be allowed.
>-Ekr
This is key. I don't distinguish between biometrics and 'voluntary'
signals such as Voice prints etc. because as I see it people are looking
at the biometric quality for the security.
I agree that there is much use of insecure authentication proceedures in
paper transactions. These insecurities are in gerneral acceptable
because there are other controls that mitigate risks (relationships,
physical presence etc.) and until now there has been no better way.
I utterly reject the notion that e-commerce should start from the
position that current levels of fraud and theft are acceptable. That
type of thinking leads to systems like the AMPS cellular billing scheme,
a system so insecure that the UK police and courts refuse to spend
taxpayer monies deterring clonning fraud that the operators could easily
have prevented.
So far the way of integrating biometrics and public key cryptography
that works best is to use a biometric to gate access to the private key.
This particular scheme is ecceptionally strong and does not require any
special support in XML DigSig.
Phill