How Face PKI enables functional eID
For an eID system, there should exist exactly one foundational eID for a person.
However, for privacy preservation, if that foundational eID is used across different systems, it makes the foundational eID linkable. As an example, if your passport number was stored in many different databases, it would make it easy to track all your interactions across those databases.
Functional eID solves this problem by facilitating a pairwise functional eID for an ID Holder and a particular verifier/service/purpose.
Functional eID is enabled through SenseCrypt's Face PKI features. The following steps decribe how this works:
Root Certificate - The issuer of the foundational ID has a root certificate that all verifiers can trust. All verifiers, first obtain the root certificate and cache it.
Foundational eID Issuance - After authenticating a prospective eID candidate, the ID issuer issues a SensePrint eID. This eID forms the foundation eID.
Face Certificate (functional eID) - When the eID holder interacts with a service, the service (verifier) needs to validate that the holder is real. To do so, the service requests the holder for a Face Certificate that is signed by the foundational eID's issuer. Such a Face Certificate contains a unique public key of the eID holder. The public key is, however, different for each verifier/service/purpose thus preserving privacy through unlinkability.
A Face Certificate is generated from a user's face, and their SensePrint eID. It is generated for a particular purpose ID. The same purpose ID must be specified while verifying the eID holder using a Face Certificate. Since the purpose ID is expected to be unique for every service that the user interacts with, the public key in the Face Certificate is pairwise and preserves privacy through unlinkability.
The verifier can trust the Face Certificate provided by an eID holder is authentic by verifying its signature using the trusted Root Certificate. The Face Ceritifcate can be cached by a verifier after a first functional eID verification performed in the step described below.
Functional eID Verification - When a user presents a Face Certificate to a verifier, the verifier only knows that the certificate is valid and has been issued by the foundational eID issuer. To verify that it is the actual eID holder who is presenting the certificate, the verifier presents a random challenge to the holder (e.g. a UUID). The eID holder must sign the challenge using an ephemeral private key that is generated from their face, their SensePrint eID, and for the specified service/purpose ID. The challenge is signed with the ephemeral private key and transmitted back to the verifier. The verifier can then verify the signature using the public key that is contained in the eID holder's Face Certificate.
A Face Certificate allows the verification of an eID holder using their face without a verifier having (or processing) the holder's face!