XML biometric standards jell

As interest grows in using biometric technology, such as fingerprint and facial scanners, to improve security and assist law enforcement, a new standards-making committee has begun a project that could make it much easier and cheaper for agencies to share biometric data about friends and potential foes.

The XML Common Biometric Format Technical Committee, launched last month, will take several existing biometric standards and develop versions of them that are based on Extensible Markup Language.

"The goal is to bring industry to some framework for expressing biometric information so that they could eventually...eliminate all the proprietary formats that prohibit different biometric solutions from being able to be used together," said Phillip Griffin, principal of Griffin Consulting and chairman of the committee, which is run by the Organization for the Advancement of Structured Information Standards (OASIS), an industry consortium that develops e-business and XML standards.

Although the biometric market has been given a great deal of attention lately because of concerns about homeland security, it is still relatively young and — as most new industries are — stymied by products that typically don't interoperate or use a standard way to format data, such as scans of faces, irises, voices and fingerprints.

For example, unless all law enforcement agencies use the same fingerprint system from the same vendor, it will be difficult and expensive for agencies to query one another's systems for matches or create a database of biometric data that they could all access and share.

The XML Common Biometric Format (XCBF) is the latest in a series of efforts to address this situation, but it is the first to focus on XML as part of the solution.

Of the other ongoing biometric standards efforts, two are recognized by the Common Biometric Exchange File Format (CBEFF), a framework for biometric standards spearheaded by the National Institute of Standards and Technology and the National Security Agency.

The two efforts, called "patron formats" of CBEFF, are the Biometrics Application Programming Interface (BioAPI), which makes it easier for applications to work together; and the ANSI X9.84 Biometric Object, which helps secure the authenticity and integrity of biometric data using digital signatures.

The mission of XCBF is to "take the values carried in BioAPI and X9.84 and give them a common XML format based on a common schema," Griffin said. The plan is to make XCBF into another patron format of CBEFF and eventually submit CBEFF to the International Organization for Standardization for approval.

The need for XCBF arises because BioAPI and X9.84 are binary standards, which means they use compact strings of bits to express data. Although binary formats are useful in resource-constrained devices such as smart cards, they can't be used directly with XML systems and applications, which are expected to become a much more prevalent way to build and operate all sorts of Web-based applications.

One challenge before the XCBF committee is to keep the XML standard consistent with the binary standards. "It's critical that XCBF meets the X9.84 security requirements," said Jeff Stapleton, a manager with KPMG LLP and chairman of the X9F4 working group of the X9 Accredited Standards Committee of the American National Standards Institute.

But Stapleton is confident that this will be achieved, because the XCBF committee is using encoding rules that are based on a language called Abstract Syntax Notation One, which was used to develop X9.84.

The committee will have little control over another challenge facing XCBF: Even the most elegant standards will be for naught if the biometric industry does not embrace them.

On the one hand, vendors often use proprietary methods — usually under the guise of "superior" functionality — as a way of locking in customers. On the other hand, vendors have an incentive to use generally accepted public standards because it saves them the trouble of developing everything from scratch. They get their products to market faster and save money during development.

Ultimately, the most persuasive reason for vendors to adopt biometric standards might be pressure from the government and other large customers. "I think big customers will demand it," Griffin said. "I think the U.S. government has the ability to embrace standards and demand standards in the products they buy."

Indeed, several federal agencies already require that the smart cards they buy support BioAPI. Some are also testing products with support for CBEFF and X9.84.

However, the industry's interest in XML-based standards remains to be seen. "Since [XCBF] has gotten started, I have been hearing a lot about it, so it may well turn out to be something quite useful," said Cathy Tilton, director of special projects at SAFLink Corp. and chairwoman of the BioAPI Consortium Steering Committee.