A slightly disturbing "side effect" of mixing accounts and IDs using the Finish and Swedish schemes, is that each time you perform a payment, the POS terminal can without any PIN-codes etc, also read the user's ID- certificates (public keys), effectively "leaking" identity information to parties that should not necessarily have such information.
Anders ----- Original Message ----- From: "Peter Tomlinson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "David Everett" <[EMAIL PROTECTED]> Sent: Saturday, March 13, 2004 19:45 Subject: Re: [Muscle] A combined EMV and ID card Who issues and manages and guarantees the ID information on the card? The bank? Or the government? That is absolutely crucial. Anders: Do you know any details of the technology used for the ID? Peter ----- Original Message ----- From: "Anders Rundgren" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 13, 2004 4:31 PM Subject: [Muscle] A combined EMV and ID card > A combined EMV and ID card > ---------------------------------- > > In Sweden banks are gearing up (in "bank-speed"...) for > issuing combined EMV and ID-cards. The reason behind that > is to reuse the card infrastructure as well as due to the fact > that banks already are ID-issuers. This system apparently > already exists in Norway although not in electronic form yet. > > Technically I see no difficulties with this, but my (open) question > is if this should be considered as a short-term "fix" or a viable > long-term scheme even on a global scale. > > Personally I have some problems with mixing an "account" which > is a potentially sharable resource, with an "ID" which is not legal > to share with others, as well as a nuisance to be without. That is, if > I let my kids pay for something on the Internet, I will using a "combo" > card give them a "passport" to possibly a myriad of other things as > well. To have different PIN-codes may be a possibility but most > people don't appreciate multiple PIN-codes. I am one of them :-) > > Currently this is "theory" as EMV on the Internet is still mostly > a dream. ID on the other hand is for real. > > Regarding Internet-payments, it seems that you long-term, rather > would give other valid [and properly authenticated] users of an > account, an "entitlement" to perform certain payments using > 3D Secure-like schemes instead of requesting credit cards for your > kids (or employees). Because then, You, the account owner can > administer and monitor account sharing yourself in the on-line bank > holding the account. Probably, banks will find this idea slightly > "challenging", but it is indeed a logical next step. > > It looks to me that the need for secure IDs is much bigger than > the need for secure "payment-tokens" if we restrict the scope to > Internet-payments. > > Just my 0.2 EUR > > Anders Rundgren > Consultant, PKI & e-Business > +46 70 - 627 74 37 > _______________________________________________ > Muscle mailing list > [EMAIL PROTECTED] > http://lists.musclecard.com/mailman/listinfo/muscle > > _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
