Scott, End of story?
Well, banks have a problem: They have so far been unable to share R&D efforts in a good way. That's the major reason they have failed to establish a standard PKI-card in spite of having used PKI since ages back. The banks will [have to] use the solutions that are available which in pretty short time will be the mobile phone. Even a small one will be sufficient for many operations. Note that not even the biggest Smart Card makers have made their software available for free. They are just waiting for their own marginalization! Also note: Keys will NOT be put in the SIM. http://www.arm.com/news/TrustZone270503 Another end of story :-) Anders ----- Original Message ----- From: "Scott Guthery" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 02, 2003 18:18 Subject: RE: Nordea: e-ID in the bank card Anders: Make battery life 5 years. Give the SIMs 16 MB and 4096-bit private keys with sub-second signing. Provide secure PIN entry, a root certificate and touch screens in every handset. There is only one interesting question: "Who do I sue when it doesn't work?" Telia? Schlumberger? Nokia? Ericsson? You? It's not about technology. It's about accepting liability. Banks do it. Telcoms don't. End of story. Cheers, Scott ============================== The Swedish branch of Nordea is planning to combine bank cards with electronic identity. Putting an electronic ID in a bank card -------------------------------------------- To put an electronic ID (usually in the form of PKI) in a [smart] bank card has been mentioned quite often by bank-people as a great idea. The author of this letter is largely unconvinced of the merits of such a system. Below are some reasons for this. 1. An account is a shareable resource, while a personal ID is not, which makes such a "resource mix" principally rather dubious. 2. Having an on-line world and assuming that the user can be sufficiently authenticated, the distribution of static account resources like EMV becomes completely redundant. 3D Secure (et. al.) shows the way forward not only for payments but for many other usages. 3. Putting an ID in a mobile phone having extensive local and remote communication facilities eliminates the need for card readers completely, as well as supporting numerous usage scenarios that physical bank cards will never be able to do. A question arises; will this third thing ever happen? Progress has indeed been very limited. Due to things like battery capacity improvements, crypto hardware improvements, and deprecation of the operators' SIM-based solutions we should expect some major action in this area the coming 18-36 months. In addition, Microsoft's entrance in the mobile phone market, will also put pressure on the other players as Microsoft in their next update claims to have about the same PKI support in their two phone OSes, as has been available in Windows for years. Sincerely Anders Rundgren Project leader for one such mobile phone-based PKI project, occasionally referred to as "the smart card killer". +46 70 - 627 74 37 --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'