George,
Yesterday I attended a Workshop at CEN in Brussels, where the
topic was secure card read/write units for use with EMV-style bank
cards on the Internet (project name FINREAD). The immediate
application is in producing a secure reader/PINpad/display for use
on a PC, with the link to the host being via a browser and then
across the Internet. Discussion with a Microsoft employee who had
just got involved in this area showed that, before discussing
methodologies, there has to be a clear understanding of what you
want to do and what the cards currently defined now do.
Payments from smart cards using the banking debit/credit
application (the basic EMV application) are just that: a payment
message is sent from the card to the host system (the acquiring
system, in the jargon). The message contains the amount of
payment along with all other necessary information. What the
browser and the merchant say to each other is just the
preliminaries: the purchase transaction. It is the card that makes
the payment.
In order to secure the rest of the transaction, the banks want us to
use SET with 'wallet' software in the browser. In order to secure the
payment message as it passes across the Internet, the banks
wants us to use the Common Chip Extensions to SET. In order to
be sure that the amount of payment transmitted to the card is
correct, the banks want us to insert the card into a certified secure
reader/PINpad/display - the amount will be shown on the display,
and the cardholder will authorise the amount on the PINpad.
Microsoft man thought that the card was being used as an
authorisation token to start up a secure session between the
browser and the host system - because he had only experienced
that type of smart card use before.
Now we are aware that there are some merchants who register
your credit/debit card number with them, and then they can issue
you to you their own authorisation card, which allows you to set up
a secure session so that you can purchase using your account
with them. Actual payment will be made separately - probably by
cheque or by direct debit, perhaps on a monthly account basis.
One of the people at yesterday's Workshop was from Wave
Systems (previously Nable Tech), and his company has been
participating in a development programme for 'trusted clients'. This
aims to produce a controller chip that can be embedded in a PC or
peripheral to enhance security in an Internet environment. Details I
don't yet have, but they point out that the FINREAD type secure
reader can be made using their technology, and that electronic
commerce businesses will shortly be announcing products using
their silicon - in other words, to trade on-line, you (the customer)
will have to have a trusted client device.
How you handle the browser thing depends on what you want to
do, but basically, for real payment on-line, the European banks are
saying that you will only be allowed to do it using their software
and their approved card readers.
That's only a start, I know, but there's a lot of this basic education
needed in the market.
As for keeping up to date with all this, I don't know of any forum
where you can. The industry associations (e.g. Smart Card Forum)
should be helping, and our own UK Smart Card Club is about to
launch a web site section giving general info. But real, at the coal
face, developers, are, I know, having a hard time.
Peter Tomlinson
Iosis, Bristol, UK
-------------------------------------------------------------------
Forwarded by: "Post Master" <internet>
Forwarded to: pm:pwt
Date forwarded: Thu, 9 Sep 1999 11:35:38 +0100
Date sent: Tue, 07 Sep 1999 10:57:54 -0400
From: George Tasiopoulos <[EMAIL PROTECTED]>
Organization: Factpoint, Inc
To: [EMAIL PROTECTED]
Subject: [OCF] Readers via browsers
> This is a cryptographically signed message in MIME format.
>
> --------------msF8635FEC270FC1DBA93B4049
> Content-Type: multipart/mixed;
> boundary="------------277609FE7322B492587CEE3B"
>
> This is a multi-part message in MIME format.
> --------------277609FE7322B492587CEE3B
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
> Hello all-
>
> I have been a little out of sync with the industry so...
>
> Can anyone feed me any detail of the capabilities and status
> of the smartcard industry with regards to the usage of
> card terminals via internet applications? Does the OCF help here?
> Is there a framework that helps securly access the physical reader
> device
> via the browser, (an HTML UI application), or is there the need for
> applets?
> Consider an application that is internet-based and I want the end-users
> to use their
> home PC w/reader to securly exchange information from the card via their
> browser application.
> What are the limitations facing the industry today and what resources
> are there to help
> me stay on top of these changes, (besides this listserv)? :)
>
> Thanks in advance.
> -george
>
>
> --------------277609FE7322B492587CEE3B
> Content-Type: text/x-vcard; charset=us-ascii;
> name="George.vcf"
> Content-Transfer-Encoding: 7bit
> Content-Description: Card for George Tasiopoulos
> Content-Disposition: attachment;
> filename="George.vcf"
>
> begin:vcard
> n:Tasiopoulos;George
> tel;fax:(781) 221-0465
> tel;work:(781) 221-0300
> x-mozilla-html:FALSE
> url:www.factpoint.com
> org:Factpoint, Inc;Trust You Can CLICK On!
> adr:;;10 Burlington Mall Road;Burlington;MA;01803;USA
> version:2.1
> email;internet:[EMAIL PROTECTED]
> title:Director - Consulting Services
> fn:George Tasiopoulos
> end:vcard
>
> --------------277609FE7322B492587CEE3B--
>
> --------------msF8635FEC270FC1DBA93B4049
> Content-Type: application/x-pkcs7-signature; name="smime.p7s"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="smime.p7s"
> Content-Description: S/MIME Cryptographic Signature
>
> MIIKHwYJKoZIhvcNAQcCoIIKEDCCCgwCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
> B6swggR1MIID3qADAgECAhAcfh6ejvZIx3w1dS6Y/IZDMA0GCSqGSIb3DQEBBAUAMIHMMRcw
> FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
> azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
> IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
> dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MDgyNDAwMDAw
> MFoXDTAwMDgyMzIzNTk1OVowggEZMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE
> CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y
> ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV
> UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO
> ZXRzY2FwZSBGdWxsIFNlcnZpY2UxGzAZBgNVBAMUEkdlb3JnZSBUYXNpb3BvdWxvczEjMCEG
> CSqGSIb3DQEJARYUZ2VvcmdlQGZhY3Rwb2ludC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
> MIGJAoGBAJml3F8Og4yJbnWEROHhSbbjENj0Vp/CJxjsssY3576geKa2/p6w6iqlfhu2BI9R
> Grrqnrj0UgRZ4p3w6mCdSMp53DjnINrRxUhGjXejVmqLTUpB8OVLkdc7511WTl8SpY5Z5/W1
> mjVZbxBPcw3r+1v6Ahw5StygBHeX1pyNFy2pAgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMIGs
> BgNVHSAEgaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3
> dy52ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIB
> ARo9VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5
> NyBWZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4AwMwYDVR0fBCwwKjAooCagJIYiaHR0cDov
> L2NybC52ZXJpc2lnbi5jb20vY2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOBgQClGkaSbThc
> hcIYf401k1t5svxEZq3GX0YPPZ2LTiGvX4sQ7T8T0d6uTbSdlqyMsV2hBr0x/1pCD5WMhkzy
> UdPXqTRUp3iZWqxFuuHt+ZTmGpHkNDVWLttR4zkoJd6WmlptHUV/n5dDdNUDWzuIu2yPpWWC
> Oa8whcPxqxbxFjtwAzCCAy4wggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3
> DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UE
> CxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
> ODA1MTIwMDAwMDBaFw0wODA1MTIyMzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j
> LjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlz
> aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFI
> MEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVy
> c29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7WkSKBBa7
> Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFLuUgTVi3HCOGEQqvAopKrRFyq
> QvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+HthzjzMaajn9qJJLj/OBluqex
> fu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYwRwYDVR0gBEAwPjA8
> BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv
> cnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBAgUAA4GB
> AIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV8Rd9Z7R/LSzd
> mkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBcVaNlIAD9GCDl
> X4KmsaiSxVhqwY0DPOvDzQWikK5uMYICPDCCAjgCAQEwgeEwgcwxFzAVBgNVBAoTDlZlcmlT
> aWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13
> d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxU
> RChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2Ny
> aWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEBx+Hp6O9kjHfDV1Lpj8hkMwCQYFKw4DAhoF
> AKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw05OTA5MDcx
> NDU3NTRaMCMGCSqGSIb3DQEJBDEWBBRtSG7RBeOv6kMGyC+hYO9jQB0j9zBSBgkqhkiG9w0B
> CQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0D
> AgIBQDANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgEGtUwCPdebFEGfzBYfpK7X6
> kiBEo/sz1LyivY3VdMAvA39CqLH+k6jjCwBRrERB7kr61j620FMHP81+ktpvkjSBe4kiEQgS
> UMcBrHxxrcBGwoA+5iPIarbD7Qyn/1j7SfOUuectK6gHQQhJiwPrVv3ze4ow2eU67J3oibvg
> qcM1
> --------------msF8635FEC270FC1DBA93B4049--
>
> Visit the OpenCard Framework's WWW site at http://www.opencard.org/ for
> access to documentation, code, presentations, and OCF announcements.
> -----------------------------------------------------------------------------
> To unsubscribe from the OCF Mailing list, send a mail to
> "[EMAIL PROTECTED]" with the word "unsubscribe" in the BODY of the
> message.
>
Visit the OpenCard Framework's WWW site at http://www.opencard.org/ for
access to documentation, code, presentations, and OCF announcements.
-----------------------------------------------------------------------------
To unsubscribe from the OCF Mailing list, send a mail to
"[EMAIL PROTECTED]" with the word "unsubscribe" in the BODY of the
message.
