>At most, it'll contain a name+password for HTTP basic-auth (and to identify >users to the site so they can be connected with the info they supplied at >purchase time). You've spent too long in the crypto world.
Having poked around in the FAQ (I can't believe I'm wasting my time on this), it could be one of three things: 1. Dumb memory card. 2. As (1) but with basic PIN-protected memory region (unlikely, since the user isn't asked to enter a PIN and unique PINs means they can't hardcode it into the access software). 3. Eurochip-type challenge-response card. In other words, a phone card. Also not too likely, since you can't do this via basic-auth. The FAQ handwaves the details, so it could be either 1 or 3. Can someone who has one of these things try reading the ATR off it? (You can also see, from the large number of FAQ entries covering potential problems and all the warnings about things to look out for when you use the card/reader, how not-ready-for-prime-time smart cards still are). Peter.