Message text written by INTERNET:[EMAIL PROTECTED]
>
ald Vogt wrote:
>
> One contact address is:
>
> Bank-Verlag Koeln
> Melatenguertel 113
> D-50825 Koeln
> Germany
>
> http://www.bank-verlag.de/
>
> From what I know I can say that in order to obtain a copy of the spec,
> you are required to sign a pretty restrictive NDA. Furthermore, it
> is probably not free (a few hundred DM).
I've noticed this quite a bit when dealing with card vendors. Can anyone
explain why a document describing the APDUs necessary to transact with a
card are considered proprietary? If you believe the premise of smart card
technology that the card can be a secure storage medium for secrets and
that the card can defend itself against attacks, what would be the problem
of allowing the APDU information to be known?
mike
<
From Peter Tomlinson:
This proprietary position now sems to be going even further. While
discussing possible ways to design financial transaction processing systems
(combination of card, reader/writer, PC, internet connection, etc) that are
secure, I have several times provoked responses from people who advise me
that they and/or others have patents on the system and message
organisation. Why do they do it? In order to make money is the first
reason. Sometimes I suspect that they mainly do it to annoy...
Security by obscurity is another reason, but it doesn't last very long.
Cartes Bancaires was hacked because they never updated their security. With
some spec owners, I'm sure that the reason is to restrict the number of
organisations who can participate in their scheme - sometimes for good
reasons (e.g. to protect the reputation of the scheme for reliability -
e.g. early Mondex trials in the UK, for which my company worked on terminal
testing,were carefully managed in order to be sure to avoid as many
problems as possible and quickly catch anything that did go wrong). But, in
the case of GeldKarte the agreement that they were asking purchasers of the
specs to sign in 1998 was not very restrictive - it merely said that you
should not use this spec except for designing cards and terminal equipment
for use in the GeldKarte scheme. And the price of DM400 was not excessive.
Last week, the European Commission held its Smart Card Summit, inviting
representatives of industry and commerce to join them in a programme to
move to common specifications for the lower levels of smart card systems.
There is no real reason why one scheme should be so different from another
that you cannot use a common terminal to process cards from each scheme,
and there is every reason why the terminal infrastructure must be common
when the card applications are mounted on multi-app card platforms (Multos,
Visa Open Platform for starters, but there are other high security
platforms coming along - e.g. the Motorola Systems dual interface platform
for use with Proton and other apps on the contact interface and transport
ticketing on the contactless interface). The Summit produced a Charter, and
will create a High Level Task Force and Working Groups shortly. Try the
following links for more info:
www.ispo.cec.be/policy/i_europe.html
www.europa.eu.int/comm/information_society/eeurope/index_en.htm
For smart card specific comment and enquiry, there is an email address of
[EMAIL PROTECTED] There is a more general email address
[EMAIL PROTECTED]
Commissioner Erkki Liikanen has been publicising the initiative - see:
www.europa.eu.int/comm/information_society/speeches/liikanen/athens01_en.ht
m.
The laudable aim of eEurope is to get us to agree on a common
infrastructure (see the documents on their web sites for the areas in which
the EC wants this to happen) so that we, the card carrying public, can use
our cards in a large number of terminals for access to public services, for
payment, and for other functions such as store loyalty schemes. And the
infrastructure should be built using public domain specs and standards.
Peter
---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/
! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
! [EMAIL PROTECTED]
! containing the word
! unsubscribe
! in the body.
