Internet Biometric Certificates 


Description of X.509 Public Key Infrastructure can be found in ITU site .  IETF PKIX working group can be found at:


Proposed Methods to use X.509 Attribute Certificates to store biometric templates us described in


We have followed up recomendations of in our appoach in issuance and verification X.509 Certificates.


Biometric Certificate system encompasses full process of handling X.509 certificates that can be verified using Biometric Technology.   It provides means to enroll and issue Biometric Certificates as well as an ability to request and perform Certificate verification.


X.509 certificates can be used to sign and encrypt documents, e-mail, conduct online business and in a number of other applications.   It is impossible to tamper with certificates, but there is no mechanism apart from biometrics that can ensure that a certificate belongs to the same person who claims to be an owner of the certificate.


To perform enrollment or verification a customer is required to have a biometric device and appropriate software installed on his/her workstation.  

This is an Internet Web based system and customers interact with the system using an Internet Browser.



There are three distinct processes:




In this picture green process illustrates enrollment and retrieval of certificates, red - verification and blue - possible usage.



To perform enrollment customer is required to have a biometric device and appropriate software installed on his/her workstation.   Enrollment page consists of a form that includes personal customer information such as name, organization, e-mail address, password and other.  After filling up the form, customer will be required to perform Iris Biometric enrollment.   Once an administrator approves the enrollment (it is an optional step), e-mail will be sent to the customer pointing him to URL where he/she can retrieve the certificate.



Customer goes to retrieval URL as directed by the e-mail confirming enrollment.  The retrieval page will ask customer to present his/her iris for verification and if the verification is successful, customer will be able to download or import certificate to the workstation.

This is a regular X.509 certificate and it can be used to sign e-mail, documents and connect to conduct business on the Internet.  The certificate also contains biometric extensions where customer biometric ID is store together with URL of biometric service provider.



To request certificate verification a recipient of certificate goes to our Biometric Certificate Web site and uploads the certificate for verification.  The customer should be a subscriber of the verification service.

Biometric Certificate server decodes the certificate and sends an email to the certificate owner, requesting to go to verification URL.  Certificate owner can now go to the URL and present his/her Iris to verify that the certificate in belongs to the owner.  If verification is successful, the certificate recipient receives email from the server that confirms the verification.