> Increasingly however, we see smartcard interfaces sold for PCs. > What for, I wonder?
You'll see them used to carry certificates for digital signatures in business applications. A firm I used to work for, eOriginal, Inc., uses them for document signing under the American electronic signature legislation, to do things like fully electronic mortgages, resellable on the secondary market. They've been using a PKCS11 interface provided by Baltimore Technologies' KeyTools Pro, but other implementations exist, of course. It's certainly no huge end-user PKI rollout, though. As far as user authentication goes in a corporate environment (say, for authentication on a VPN tunnel), I'm unclear on how a digital certificate locked with a password is any more secure than your standard SecureID token backed by a password; both rely on knowledge-based and possession-based security. Random number generation versus NP-hard problem is the only difference. (Though I know a guy who broke some early generations of the SecureID randomizer after watching the sequence for about 10 minutes.) - John Stoneham
