Re: [TLS] EU cards

Anders Rundgren <> Fri, 29 July 2011 07:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C1E6821F85B2 for <>; Fri, 29 Jul 2011 00:34:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.561
X-Spam-Status: No, score=-3.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N0arCZ4YSopV for <>; Fri, 29 Jul 2011 00:34:50 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4065621F85AB for <>; Fri, 29 Jul 2011 00:34:49 -0700 (PDT)
Received: from [] ( by (8.5.133) (authenticated as u36408181) id 4E305E9700087884; Fri, 29 Jul 2011 09:34:43 +0200
Message-ID: <>
Date: Fri, 29 Jul 2011 09:34:27 +0200
From: Anders Rundgren <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: Peter Gutmann <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] EU cards
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Jul 2011 07:34:50 -0000

On 2011-07-29 08:17, Peter Gutmann wrote:
> Anders Rundgren <> writes:
>> Dropping HTTPS CCA, it will never leave the 0.1% slot anyway so why would the 
>> browser vendor bother about how it works?
>> Now to the cards: Since
>> 1. readers is a non-standard item
>> 2. all cards need different middleware
>> 3. cannot be fitted with additional certificates
>> 4. is generally only trusted by a restricted group
>> 5. commercial CAs require certified RP SW, contracts this is simply put 
>> entirely uninteresting
> You forgot 2a:
> 2a. The middleware is buggy, unstable, only works on certain system 
> configurations or on certain hardware, prevents or upsets normal operation of 
> the system it's installed on, etc.  Vendors mostly ignore bug reports, and 
> aren't interested in updating their drivers unless you go back and buy another 
> half-million cards.

You are [unfortunately] quite right.  The (relative) success smart cards have
had in controlled environment such as payment terminals cannot be translated
to the completely uncontrolled consumer computer base.

I see two possibilities:
1. The easy one.  Let Apple with iPhone/iPad provide us with the "container".
2. Define a new container where the interface is strict and support provisioning
so that even Joe Sixpack can succeed.  This is my take on the subject which
though is about 100 times more difficult than what Apple needs to do so
I guess I'm an idiot even trying...

I just don't like the idea of going from an OS monopoly to a fullblown
OS + Device + Infrastructure monopoly. Banks and Governments have little
to compete with and will also [much too] late realize they're screwed.


>> The government cards are status projects.  We have issued x millions cards.  
> I tend to refer to them as "government charities", but that's more or less the 
> same thing.