David Corcoran wrote:
> Hi, here is a bit that I wrote up to vent on my lack of standards in the
> smartcard industry. Let me know if you agree or not.
>
(and a great deal more besides).
If Birmingham Aston University (UK) mounts it on their unrestricted
web site, see the paper on smart card standards and e-purse originally
written in 1997 by Ram Bannerjee, and greatly updated recently by
myself and Steve Brunt (Steve is the senior ISO editor for ISO/IEC
10373, the smart card test standard).
Smart card specifications were never designed from the top down, but
just grew as a struggling technology (naked ICs embedded in a card,
when everyone said they would be destroyed by static discharge)
emerged from France. Bitter rivalry between suppliers, at a time when
the technology was being used for closed schemes (cards and
terminals being matched up by the systems integrators), a weak ISO
organisation, and lack of public money for standardisation - all these
contributed to the current mess.
ISO gave the standardisation job to (or it was taken in by) a committee
that was dedicated to defining the token, and was forbidden to look
seriously at the terminal - in other words, the design work never
looked at the complete system of card and terminal. The same mistakes
are being made now in the contactless card standards, particularly in
ISO 14443.
The European Commission is trying to bring some commonality to the
public use of smart cards for PKI and electronic commerce (the
eEurope Initiative). RSA Labs has published a draft of PKCS#15
(interface to a PKI token, i.e. to a card) - PKCS#11 defines an API
within the host system, not the interface to a device used to store the
keys and permit their use in a secure manner.
I will try to find time to give detailed responses to David's frustrations,
but for now I generally support Matthias. Except I remind you all that
EMV's T=1 is different from ISO's T=1 - both have errors in the error
recovery, but the errors are different, and they also have different
definitions of the fields for changing protocol parameters. Designers
of this type of algorithm MUST use state diagrams as the normative
definition of the processes, but ISO never makes them do that. In the
UK's Contactless Standards Technical Panel, we have just been
reviewing ISO 14443 part 4's draft, and we find the same problems of
muddle due to there not being a state diagram.
Peter Tomlinson
[EMAIL PROTECTED] or [EMAIL PROTECTED]
+44 117 951 4755
Iosis, 34 Strathmore Road, Bristol BS7 9QJ, UK
Phone & fax +44 (0)117 951 4755
Mobile +44 (0)7785 261475
Email [EMAIL PROTECTED] or [EMAIL PROTECTED]
***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************
