[OpenID] SmartCards and alternative thoughts

Paul Tanner paul at virtual-techno.com
Fri Jul 13 08:01:03 UTC 2007 

At 18:56 12/07/2007, someone wrote:
 > Magnetic stripe is not a technology to compare with smart cards
 > (even though you can find them both on credit cards) Magstripe is
 > just a way of 'reading data' whereas smart cards provide actual value
 > (crypto) not just a bunch of bits to blindly read.

Mmm .. We need to avoid confusing the type of card technology with 
their value in terms of ID.
Putting crypto in a card opens up many possibilities.  However these 
are impractical to exploit without an end-to-end PKI.  That's only 
affordable in applications like border control that are 
security-critical and have huge budgets.  The "reader" in that 
scenario needs to be a sophisticated beast - not just a piece of 
cheap hardware.  This is why ordinary EMV card readers have no 
security as such - readers are cheap and the attendant risks are 
covered by insurance against an expected level of loss.

Therefore, we may see OPs using SmartCards/ PKI in some edge cases 
but these will not affect the general market.  Any card could be used 
to save typing your ID but, as has been said, that has little 
value.  Most RPs will probably allow for cookies to do this anyway.

On the other hand there's a lot of scope for effective registration 
processes involving multiple forms of ID coupled with multi-factor 
authentication to an OP.  In such a case the OP could assure RPs that 
the user really is who they say they are. I see a need for this in 
those applications where valuable or confidential content is made 
available to those who can log in.  This would be even more valuable 
if such an RP could (somehow) trust the security and processes 
implemented by said OP. (Either RP==OP or there's some form of 
independent accreditation).

Some banks have reasonably strong authentication in place using 
stand-alone security devices and many of us feel comfortable enough 
with that way of protecting our accounts.  OPs could use this 
increasingly prevalent technology but they would, of course, need 
adequate processes around this as (arguably) do the banks.

Paul

Paul Tanner - Virtual Technologies - http://www.virtual-techno.com
Tel: +44 1494 581979 Mob: +44 7973 223239 mailto:paul at virtual-techno.com

More information about the general mailing list