Thanx Pekka, A slightly disturbing "side effect" of mixing accounts and IDs using the Finish and Swedish schemes, is that each time you perform a payment, the POS terminal can without any PIN-codes etc, also read the user's ID- certificates (public keys), effectively "leaking" identity information to parties that should not necessarily have such information.
Anders ----- Original Message ----- From: "Pekka Honkanen" <[EMAIL PROTECTED]> To: "'Anders Rundgren'" <[EMAIL PROTECTED]>; "'internet-payments'" <[EMAIL PROTECTED]> Sent: Saturday, March 13, 2004 19:49 Subject: VS: A combined EMV and ID card Hi all here is a press release from 2002 about a Finnish Visa electron EMV card with Finnish government issued certificate for public e id. These cards are now on the market. http://www.vaestorekisterikeskus.fi/vrk/bulletin.nsf/PFBD/6BAD13682FF44383C2 256CCB004CBF6F?opendocument Regards Pekka Honkanen -----Alkuper�inen viesti----- L�hett�j�: Anders Rundgren [mailto:[EMAIL PROTECTED] L�hetetty: 13. maaliskuuta 2004 18:09 Vastaanottaja: internet-payments Aihe: A combined EMV and ID card A combined EMV and ID card ---------------------------------- In Sweden banks are gearing up (in "bank-speed"...) for issuing combined EMV and ID-cards. The reason behind that is to reuse the card infrastructure as well as due to the fact that banks already are ID-issuers. This system apparently already exists in Norway although not in electronic form yet. Technically I see no difficulties with this, but my (open) question is if this should be considered as a short-term "fix" or a viable long-term scheme even on a global scale. Personally I have some problems with mixing an "account" which is a potentially sharable resource, with an "ID" which is not legal to share with others, as well as a nuisance to be without. That is, if I let my kids pay for something on the Internet, I will using a "combo" card give them a "passport" to possibly a myriad of other things as well. To have different PIN-codes may be a possibility but most people don't appreciate multiple PIN-codes. I am one of them :-) Currently this is "theory" as EMV on the Internet is still mostly a dream. ID on the other hand is for real. Regarding Internet-payments, it seems that you long-term, rather would give other valid [and properly authenticated] users of an account, an "entitlement" to perform certain payments using 3D Secure-like schemes instead of requesting credit cards for your kids (or employees). Because then, You, the account owner can administer and monitor account sharing yourself in the on-line bank holding the account. Probably, banks will find this idea slightly "challenging", but it is indeed a logical next step. It looks to me that the need for secure IDs is much bigger than the need for secure "payment-tokens" if we restrict the scope to Internet-payments. Just my 0.2 EUR Anders Rundgren Consultant, PKI & e-Business +46 70 - 627 74 37
