Hi,
I don't know how many of you who are aware of Information Cards but they
have been pushed for 5 years by Microsoft with virtually no results.
IMO it is because Microsoft have (like most other US companies)
essentially no experience with tokens for consumers since US on-line
banks /primarily/ use passwords.
------
Since there seems to be misunderstandings in the Information Card
community about the state of smart cards, I take the liberty describing
what I believe are facts. Feel free providing other information :-)
In order to use a card it must be initialized. If you take a card and
insert it in a leading platform such as Windows 7, you will soon be
aware that there is no initialization or "format" command to find. If
you are the nerdy type you will also note that cryptographic APIs like
featured in Windows, Java, and as well as PKCS #11 do not have support
for card initialization. This is because this part is largely
proprietary/non-standard.
Due to this we will never be able to put Information Cards on smart
cards except maybe for a single model that is likely to be both pricey
and hard to get.
What's even more funny is that after performing this highly proprietary
initialization process, cards when used for logging in to AD or to an
Internet site, only execute mundane cryptographic operations like RSA
sign. I.e. all this advanced technology like Java, or .NET seems
virtually useless; at least the diversity is completely unmotivated.
So what's the solution? IMHO, it is defining a container that is a
"Dumb Keystore" rather than the "Server" the card industry is peddling
to keep them from becoming commodity suppliers. Unlike a server, a dumb
keystore is just a simple peripheral responding to /a small set of
predefined commands/, quite similar to a disk drive.
Although you (most certainly) do not agree, I'm pretty sure that
Information Cards, U-Prove, and a gazillion of other niceties won't go
anywhere until a better token becomes */readily available/*. The better
tokens are enhanced USB memory sticks and mobile phones. Traditional
smart cards are simply unsuited for large scale use in consumer PCs
(where is the reader to begin with...) except for those who can afford
the luxury of having a "smart card expert" hanging around.
There are other markets and uses like passports that need customizable
cards with file-systems and such but this has rather little to do with
"logging in" on the Internet.
Regards,
Anders
Designer of "Really Dumb Tokens" that unlike the state-of-the-cards, can
be provisioned directly over the Internet with full end-2-end security,
using enhanced Internet browsers.
http://webpki.org/auth-token-4-the-cloud.html
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
