Inventory: Require Appendix F Certified Scanner

[gfiumara]

Related to #2, but split out for discussion. FBI EBTS Appendix F is the de facto fingerprint sensor certification guidelines and procedure. Requiring a certified scanner will help ensure the captured print is of a sufficient enough quality to create a mold without requiring a specific scanner manufacturer.

I suggest we explicitly require EBTS Appendix F scanner, regardless of what resolution is determined in #2.

[woodbe]

@gfiumara my only concern with saying that the scanner MUST come from that list is that say an EU scheme could say they want to use something that is tested by them, and not the US FBI. I'm not arguing that there is anything wrong with the FBI list by any means, just that we have to be careful of requiring things like that.

I certainly think we could list that as a place to find commercial products though, in the table (instead of putting in a specific product maybe, I'm not sure).

[gfiumara]

Fair, but I don't know of other testing programs.

[woodbe]

@gfiumara This is why my edit has these listed as part of the commercial scanners list, but not as a mandated list.

[gfiumara]

Essentially, I want to avoid folks using cheap sensors that claim 500 PPI but whose acquition methods do not provide a robust image. For example, a sweep-style sensor can image at 500 PPI, but relies on image stitching which will introduce artifacts and not be able to image the entire finger. This might be acceptable for the verification image on the TOE, but not for creating a PAI.

[gfiumara]

FYI: Learned of BSI (Germany) fingerprint scanner qualifications, which may be useful (Section 5.1.2). The qualifications mimic EBTS Appendix F, with the exception of minimum physical capture size.

[woodbe]

Ok, so how about specifying in the requirements that the scanner must meet either the BSI or the FBI requirements. If I can point to multiple that agree, I think we are OK. Then under the examples we cam point to the FBI website since it is nicely searchable, but it is just a place to look for them, not mandated.

[gfiumara]

I would be good with requiring the linked BSI qualifications or FBI qualifications. Could we say something like "meets EBTS Appendix F or equivalent national body image quality specifications?"

I also noticed ISO/IEC 19794-4 has an appendix with image quality specifications for scanners. Looking very quickly between meetings, this appears to be equivalent to EBTS Appendix F, which could remove the "international" problem.