Thus, our focus when discussing biometric technology shouldn't be on its ability to withstand attack, but rather on where and how people use it in their security systems. Biometrics are not intrinsically bad, but people will undoubtedly use biometrics for bad ends. It's the same concept that gun-control proponents express--"Guns don't kill people; people kill people." Using biometrics for personal authentication in one form or another is the best method we'll get, but we should be careful about how far we let it go. We can apply rule 6a of RFC 1925 (The Twelve Truths of Networking), "It is always possible to add another level of indirection," and thereby produce a fairly elegant security methodology.

A biometric is a unary identity: All of us have only one left thumbprint. How will you separate your work identity from your private identity? With the lack of U.S. movement to conform to the European privacy requirements (the OECD Cryptographic Guidelines of 1997, Principle 5), there is significant risk that your private activities (buying habits, entertainment preferences, political activities) will be inextricably connected to your work activities.

I want three identities: One for my employer, one for my estate and government use, and one for my private musings. I may also wish to create a different identity for a particular short-term business deal; a deal in which I have no intent to defraud, but neither do I have any desire to have it affect any business ventures I may undertake in the future.

Some people claim that since all such activities mentioned above are signed with the same cursive lines of ink, called a signature, it stands to reason that we need but one digital signature. This is wrong. Paper records cannot be easily collected to create a unified personal history; however, electronic documents are being collected even now for this purpose, and herein rests the heart of the privacy issue. Electronic identities are just that: identities. They are more than just an instrument of document signing--they go beyond the tradition of cursive signatures for intent. Digital certificates are far better suited for this type of identity process.

But digital certificates have their risks as well, most notably the loss of the private key. Theft of the private key would yield the same result as the theft of a thumb in a biometric system--and stealing the private key is much easier to accomplish.

A Powerful Combination The win-win situation would couple the two technologies: Use digital certificates for public identity, and protect and actuate those multiple certificates with biometrics. This minimizes each technology's risks, while leveraging its respective strengths. I have seen smart cards that meet this design criteria. The first person to place a thumb (or any finger, I suppose) on the card's thumb scanner personalizes the card. Then, after the card's initialization, certificates can be preloaded by the CA (certificate authority) or downloaded via the PKIX-3 protocol (draft-ietf-pkix-ipki3cmp-08.txt).

An individual can own as many of these smart cards as he or she chooses, similar to the way many of us seem to collect credit cards today. There is no practical limit on smart-card ownership, other than how many will fit into your wallet or purse. In fact, the wisdom of keeping a few credit cards in a different wallet or briefcase in case of theft would apply equally well with smart cards. The debate about how people would decide which digital certificate to use in a given situation would be no more complicated than today's decision regarding which credit card to use.

Biometrics can also be built right into a system's BIOS. The biometric enables access to the device for its owner, and traditional authentication systems take over for network and application authentication. There are a few potential traps here. There's the risk of lost access; for example, a person may have an accident and lose the ability to activate the thumbprint on his or her computer. There may also be a need for shared access, and multiple biometric ID support can weaken an access-control system. Also, technical-support access could fall into the wrong hands. If a smart card becomes unusable, it can be destroyed and certificates on the card revoked. A new card with new certificates can then be issued, yielding a much more manageable security system than imbedded biometrics. This would be a small price to pay compared to the amount you'd have to spend to replace a whole system.

For security, rule 8 of RFC 1925 is king: "It is more complicated than you think." There is no shortcut to security. Or rather, the short road will be longer and the long road will be shorter. Biometrics are coming of age and present a compelling case for application in security systems. But I believe the privacy risks they create far outweigh their direct value. The very general wording in the 1999 federal appropriations bill specifying electronic signatures for electronic government correspondence is already a dangerous privacy trap.

We need to apply ourselves to creating security systems in a manner that leverages strengths and lessens weakness. In doing this, we can enhance the privacy of the people whose activities we secure. And we can make people's tasks easier to perform despite the security that is needed in this digital age.

Robert Moskowitz is a senior technical director at ICSA Inc.; he is also a member of the Internet Architecture Board. Send your comments on this column to him at rgm@htt-consult.com.