OASIS Biometric Identity Assurance Services (BIAS) Integration TC


1. What does BIAS stand for?

Biometric Identity Assurance Services. These services include biometric and related services to provide such operations as associating biometric data with a specific identity, performing biometric matching, storing/updating/retrieving biometric and biographic data, etc.

2. What is the rationale behind this standardization effort? What is the motivation of the sponsors/authors?

A gap exists in the current set of biometric standards in the area of remotely invoked biometric services. The goal of this effort is to fill that gap by defining a standard method for accessing a set of such services over a services oriented framework.

There is a growing interest in biometrics and biometric systems are becoming more complex as they are integrated into larger identity management and credentialing systems. Today, they are increasingly being used in large-scale systems built on an SOA. There is also an increasing need for data sharing and reuse of resources and services within and across organizations. Many of these systems are being developed by the government – for example, the Department of Homeland Security, a TC sponsor, has a number of such systems in the areas of border management and transportation security that could benefit from the availability of a standard set of biometric Web services.

Today, these types of systems are custom built, proprietary solutions. The availability of a standard biometric services interface will allow for systems to be implemented on an open architecture and provide a degree of vendor independence.

3. What is the scope of this effort? What is explicitly out-of-scope, and why?

BIAS defines a framework for deploying and invoking biometrics-based identity assurance capabilities that can be readily accessed using services-based frameworks (e.g., web services).

Excluded from the scope is a) single platform functionality (e.g., client-side capture) and b) integration of biometric services within an authentication protocol.

4. Are there existing comparable or overlapping standards, or comparable standardization efforts currently under way (inside or outside OASIS)?


5a. Is the product of this technical committee intended to be used in conjunction with other standards or complementary technologies?

Yes. The BIAS Integration standard is intended to be a companion standard to the BIAS standard being developed within INCITS M1 (International Committee for Information Technology Standards Technical Committee M1, Biometrics, http://www.incits.org/tc_home/m1.htm).

5b. How does this work relate to these (is the usage of these complements mandatory? optional? restricted or profiled?)

INCITS will define the biometric operations and associated data elements (i.e., taxonomy) in the BIAS standard. OASIS will define the bindings (i.e., schema, protocols) for integrating these services within a Web services framework. The two companion standards will normatively reference one another.

In addition, the BIAS integration standard will leverage other OASIS standards as required to fulfill these requirements (e.g., WSS).

6. Why is collaboration between OASIS and INCITS necessary?

Biometrics expertise is required to define the biometric operations and to leverage existing biometric standards. SOA and Web services expertise is required to properly implement these operations within a services framework. Both disciplines are needed to create a set of standards that are technically sound and which will result in widespread adoption.

It is critical that experts in both areas contribute their expertise to ensure that the right structure, functionality, and technical details are specified. It is likely that the unique aspects of each technology will impact upon the design of the other; therefore, a close collaboration is required with each group reviewing and commenting on the work of the other. It is also critical that the two companion standards are totally aligned with one another.

This project is the first ever collaboration between OASIS and INCITS and is hoped to be a model for further such collaboration in the future.

7. Can you give some example of concrete applications that will benefit from standardizing the specifications from this TC?

- Large government programs such as border management, national ID, voter registration, and transportation security.
- Credentialing programs/systems such as employee ID (commercial and government).

8. Is it anticipated that TC deliverables will be broadly used, deployed, and/or implemented? Or are the deliverables intended for a narrow audience, possibly including only the TC membership?

The services to be defined are intended to be generic in nature and applicable to a wide audience of users who wish to deploy biometric-enabled applications.

9. Are there any plans for formalizing this standard beyond initial publication?

Yes, the intent would be to submit the INCITS and OASIS standards to ISO as a multipart standard in the future.

10. Do you see external factors that should help a broad acceptance and deployment of the specifications from this TC? And factors that may potentially hinder a broad acceptance and deployment?

It is important that the services defined be generic and not tied too tightly to any specific application domain or business logic. It is also important that they be defined at the right level such that the basic functions can be used to construct higher level, aggregate operations.

11. Do you know of companies or industry verticals that have already expressed interest in using the specification(s) produced by the TC in their products or services?

The federal government, large systems integrators, and back-end biometric service providers.

12. Regarding the adoption of this specification(s) by a vendor for its products: is this a decision that vendor companies can make individually, or are the interoperability aspects important enough to require industry-wide, coordinated adoption?

The standard should support both; however, the intent is to facilitate interoperability. Therefore, the broader the cross-section of participants in the development and promotion of the standard, the better.

13. Have the authors and their companies considered further ways to promote the produced specification(s) after completion (PR, marketing, campaigns, industry consortia....)?

Not beyond the prospect of government adoption and specification in procurements.

14. What are the security implications, if any, of this effort?

The intent is to leverage existing web security mechanisms rather than to define any unique security requirements for this set of services.