Internet Biometric Certificates 


 

Description of X.509 Public Key Infrastructure can be found in ITU site http://users.erols.com/ambur/x509.htm .  IETF PKIX working group can be found at: http://www.ietf.org/html.charters/pkix-charter.html

 

Proposed Methods to use X.509 Attribute Certificates to store biometric templates us described in  http://www.biometrics.org/html/x.509.html.

 

We have followed up recomendations of www.biometrics.org in our appoach in issuance and verification X.509 Certificates.

   

Biometric Certificate system encompasses full process of handling X.509 certificates that can be verified using Biometric Technology.   It provides means to enroll and issue Biometric Certificates as well as an ability to request and perform Certificate verification.

 

X.509 certificates can be used to sign and encrypt documents, e-mail, conduct online business and in a number of other applications.   It is impossible to tamper with certificates, but there is no mechanism apart from biometrics that can ensure that a certificate belongs to the same person who claims to be an owner of the certificate.

 

To perform enrollment or verification a customer is required to have a biometric device and appropriate software installed on his/her workstation.  

This is an Internet Web based system and customers interact with the system using an Internet Browser.

 

 

There are three distinct processes:

        Enrolment

        Retrieval

        Verification


In this picture green process illustrates enrollment and retrieval of certificates, red - verification and blue - possible usage.

 

Enrollment

To perform enrollment customer is required to have a biometric device and appropriate software installed on his/her workstation.   Enrollment page consists of a form that includes personal customer information such as name, organization, e-mail address, password and other.  After filling up the form, customer will be required to perform Iris Biometric enrollment.   Once an administrator approves the enrollment (it is an optional step), e-mail will be sent to the customer pointing him to URL where he/she can retrieve the certificate.

 

Retrieval

Customer goes to retrieval URL as directed by the e-mail confirming enrollment.  The retrieval page will ask customer to present his/her iris for verification and if the verification is successful, customer will be able to download or import certificate to the workstation.

This is a regular X.509 certificate and it can be used to sign e-mail, documents and connect to conduct business on the Internet.  The certificate also contains biometric extensions where customer biometric ID is store together with URL of biometric service provider.

 

Verification

To request certificate verification a recipient of certificate goes to our Biometric Certificate Web site and uploads the certificate for verification.  The customer should be a subscriber of the verification service.

Biometric Certificate server decodes the certificate and sends an email to the certificate owner, requesting to go to verification URL.  Certificate owner can now go to the URL and present his/her Iris to verify that the certificate in belongs to the owner.  If verification is successful, the certificate recipient receives email from the server that confirms the verification.