- From: Paul Lambert <plambert@certicom.com>
- Date: Wed, 21 Apr 1999 11:57:58 -0700
- To: Alan Kotok <kotok@w3.org>
- cc: "John Boyer" <jboyer@uwi.com>, "Dsig group" <w3c-xml-sig-ws@w3.org>
>What "encryption" binds the identifying information unique to the >signer and the description of what is being signed? Biometrics provide nothing more that a unique identifier. It is an identifier that is a little more difficult to duplicate that a name or serial number. Biometrics are forgeable Biometrics are relatively easy to duplicate since they are just a string of bits. Any strength in the authentication must be based on the hardware component that is used to read the biometric data. Either a public key technique or a keyed hash is required then to authenticate the biometric input device. Cryptographic techniques are also required to prevent the modification of biometric data in transit for remote authentication applications. Biometrics may be an interesting attribute to associate with a key. As an attribute of a key they could be used as part of an authentication or identification process. >There seems to be general agreement that whatever we develop should be able >to accommodate multiple signature technologies. No! I do agree that we should support a few different public key algorithms. I do agree that we may want to support encryption, key exchanges, or keyed hashes. A keyed hash has it's own properties and should not be described as a digital signature. Paul Alan Kotok <kotok@w3.org> on 04/21/99 11:42:20 AM To: "John Boyer" <jboyer@uwi.com> cc: "Dsig group" <w3c-xml-sig-ws@w3.org> (bcc: Paul Lambert/Certicom) Subject: Re: Fw: XML versus ASN.1/DER blob At 01:24 PM 4/21/99 , John Boyer wrote: >... >The pen people's biometric tokens are encrypted blobs containing biometric >measures of the act of signing as well as a sha-1 or md5 hash of the >document being signed. The biometrics identify the signer, the act of >signing implies authorization (same as paper), the hash authenticates the >document content, and the encryption binds the two together. The pen people >claim that this signing technology offers an electronic solution that is at >least as secure or substantially more secure than the paper signatures that >we currently accept. There seems to be general agreement that whatever we develop should be able to accomodate multiple signature technologies. There also seems to be agreement that it is not the work of this group to judge the strength or merit of any particular technology. But it does seem necessary to understand the requirements posed by known signature technologies on the specifications we develop. Therefore, I would assume we need to understand how signing using biometrics relates to the process we are more familiar with: that of encrypting the hash of a signature block using the private key of a public keypair. Maybe I'm a bit dense, but I can't figure out the explanation provided above. What "encryption" binds the identifying information unique to the signer and the description of what is being signed? Could you take us through that operation in more detail? Thanks. Alan ___________________________________________________________________________ Alan Kotok, Associate Chairman mailto:kotok@w3.org World Wide Web Consortium http://www.w3.org MIT Laboratory for Computer Science, 545 Technology Square, Room NE43-409 Cambridge, MA 02139, USA Voice: +1-617-258-5728 Fax: +1-617-258-5999
Received on Wednesday, 21 April 1999 15:06:21 UTC