You may have heard debates concerning the virtues of "soft certificates" versus "smart cards".
I have come to the conclusion that this distinction is mostly based on the fact that current smart cards cannot be provisioned in a secure way over the Internet to an end-user because there is nothing in the card that can vouch for the origin of generated key-pairs (and a lot of other related stuff as well). Is there a need for a such a facility? Yes, unless you think this is cool: http://www.trustdigital.com/downloads/TD_EMM_CAC_Pack_101008.pdf http://na.blackberry.com/eng/ataglance/security/products/smartcardreader IMO these solutions represent $200+ of total c**p. A better solution would of course be that you used your PIV/CAC/eID card to "enroll2 your mobile device which then should be on par with the original credential security-wise! This can be done by the end-user itself. Rather than "only" making a phone solution, I have revised the Android V2 Keystore project to also work with firmware-enhanced smart cards that should be able to use the same provisioning protocol. The details are yet to be described publicly but I see no problems achieving what is claimed in: "Air-tight" provisioning, the basics: http://webpki.org/papers/keygen2/secure-key-store.pdf "Air-tight" provisioning", core facility: http://webpki.org/papers/keygen2/session-key-establishment--security-element-2-server.pdf Anders
