The Chair of the OASIS XML Common Biometric Format Technical Committee (XCBF TC) has communicated a request that the TC's Committee Specification version 1.1 be considered for approval as an OASIS Standard. The XML Common Biometric Format specification deals with biometrics in the sense of "automated methods of recognizing a person based on physiological (retina, hand geometry, DNA) or behavioral characteristics; they are used to recognize the identity of an individual, or to verify a claimed identity." The OASIS Committee Specification defines "a common set of secure XML encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 6529). These XML encodings are based on the ASN.1 schema defined in ANSI X9.84 Biometric Information Management and Security. For security purposes, they make use of the Canonical XML Encoding Rules (CXER) for ASN.1 defined in ITU-T Rec. X.693, and rely on the security and processing requirements specified in the X9.96 XML Cryptographic Message Syntax (XCMS) and X9.73 Cryptographic Message Syntax (CMS) standards." Section 7 provides the XCBF Schema in the form of ASN.1 modules (X9-84-Biometrics Module, X9-84-CMS Module, X9-84-Identifiers Module). Examples for readers and implementors are supplied in Section 8 with the goal of promoting secure, interoperable biometric applications and systems. Voting by the OASIS membership will take place during the latter half of August 2003.

Bibliographic Information

The document submitted for approval as an OASIS Standard is the June 2003 version 1.1 Committee Specification.

XML Common Biometric Format. Committee Specification, Version 1.1. June 2003. 74 pages. Edited by John Larmouth (Individual Member). Contributors: Tyky Aichelen (TC Chair, IBM), Ed Day (Objective Systems), Dr. Paul Gérôme (Individual Member), Phillip H. Griffin (Individual Member), John Larmouth (Individual Member), Monica Martin (Sun Microsystems), Bancroft Scott (OSS Nokalva), Paul Thorpe (OSS Nokalva), Alessandro Triglia (OSS Nokalva), Rick Randall (Booz Allen Hamilton), John Messing (American Bar Association), Clifford Thompson (Individual Member), John Aerts (LA County Information Systems Advisory Body), and Michael Nguyen (The Infocomm Development Authority of Singapore).

XCBF Specification Overview

Biometrics are automated methods of recognizing a person based on physiological or behavioral characteristics. They are used to recognize the identity of an individual, or to verify a claimed identity. This specification defines a common set of secure XML encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 6529). These CBEFF formats currently include the binary biometric objects and information records in two ANSI standards.

These XML encodings are based on the ASN.1 schema defined in ANSI X9.84:2003 Biometric Information Management and Security. They use, for security purposes, the Canonical XML Encoding Rules (CXER) for ASN.1 defined in ITU-T Rec. X.693, and rely on the same security and processing requirements specified in X9.96 XML Cryptographic Message Syntax (XCMS). Values of the Biometric Information Record (BIR) defined in ANSI/INCITS 358-2002 - Information technology - BioAPI Specification that can be represented in the X9.84 biometric object format can also be represented using XML markup and secured using the techniques in this standard.

This standard defines cryptographic messages represented in XML markup for the secure collection, distribution, and processing, of biometric information. These messages provide the means of achieving data integrity, authentication of origin, and privacy of biometric data in XML based systems and applications. Mechanisms and techniques are described for the secure transmission, storage, and integrity and privacy protection of biometric data.

This document describes the process for translating between an X9.84 BiometricObject and a BioAPI-1.1 Biometric Information Record (BIR). The X9.84 schema is the same as the schema defined in this standard and provides a common means of representing in XML markup the binary values described in the X9.84 and BioAPI-1.1 standards. Once BIR format values are represented as values of type BiometricObject they can be secured using the techniques described in this standard. [adapted from the Introduction]

XCBF Examples

Three examples are provided in Section 8 of the specification "to assist readers and implementors of this standard, and with the goal of promoting secure, interoperable biometric applications and systems."

The BiometricSyntaxSets (CXER, DER) example "illustrates a value of type BiometricSyntaxSets encoded in XML markup using the basic XML Encoding Rules (BASIC-XER), a canonical variant of the XML Encoding Rules (CXER) and a compact, canonical, binary format using the ASN.1 Distinguished Encoding Rules (DER). The XER, CXER and DER representations use exactly the same abstract values, based on the same XCBF ASN.1 schema. Two representations are well-formed XML markup. The third representation is a compact, binary DER encoding. Both CXER and DER are suitable for use in cryptographic applications involving digital signatures, since these encoding rules provide one and only one way to encode any given value..."

A SignedData example "illustrates how to encode one or more biometric samples or templates for cryptographic enhancement to provide authentication of origin and data integrity services for biometric samples or templates.

An EncryptedData (fixedKey) example "illustrates how to encode a series of one or more biometric samples or templates for cryptographic enhancement. A group of three biometric objects is used, though XCBF allows any number of objects to be included. The optional, cleartext biometric headers are not included in the example message. The group of three biometric objects is encrypted for privacy using a fixed Triple DES key. As shown in this example, XCBF users can create and exchange arbitrary collections of biometric information to suit the needs of their security applications. This capability provides the application designer complete flexibility. The order of the biometric objects is determined in the application by the sender, allowing them to prioritize or order biometric information for purposes such as aging of data, or grouping records by quality or data type or entity..."

Arbitrary collections of biometric information: "Collections of useful biometric information include:

• pairs of iris image templates for an individual; one for each eye
• collections of paired iris image templates for a group of individuals
• collections of finger print image templates, one per digit for an individual
• sets of individual finger print image template collections for a group of persons
• a collection of mixed biometric templates for an individual; say, retina, hand geometry, and DNA
• collections of templates for groups of individuals, such as:
  • all employees at work today, or
  • all of the passengers on Flight 12, or
  • all of the finger print samples collected on Tuesday

XCBF TC Charter

The OASIS XML Common Biometric Format (XCBF) Technical Committee was chartered to define "a common set of secure XML encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 6529). These XML encodings will be based on the ASN.1 schema defined in ANSI X9.84:2003 Biometrics Information Management and Security. They will conform to the XML Encoding Rules (XER) for ASN.1 defined in ITU-T Recommendation X.693, and rely on the security and processing requirements specified in X9.96 XML Cryptographic Message Syntax (XCMS)."

Declarations of Successful Use

One requirement for approval of a Committee Specification as an OASIS Standard is a declaration by at least three OASIS member organizations stating that they are "successfully using the specification consistently with the OASIS IPR Policy." See the statements from:

• Statement from Ed Day of Objective Systems
• Statement from Bancroft Scott of OSS Nokalva
• Statement from Tyky Aichelen of IBM