Re: [TLS] EU cards

Peter Gutmann <> Fri, 29 July 2011 06:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 333C021F8658 for <>; Thu, 28 Jul 2011 23:26:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.084
X-Spam-Status: No, score=-3.084 tagged_above=-999 required=5 tests=[AWL=-0.551, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_MILLIONSOF=0.315, SARE_OBFU_ALL=0.751]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8A55g-dg2yx4 for <>; Thu, 28 Jul 2011 23:26:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4850821F8640 for <>; Thu, 28 Jul 2011 23:26:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1311920800; x=1343456800; h=from:to:subject:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<> |,|Subject:=20Re:=20[T LS]=20EU=20cards|In-Reply-To:=20<20110728194221.3655211E8>|Message-Id:=20<E1QmgWs-0007h1-Q3@logi>|Date:=20Fri,=2029=20Jul=202011=20 18:26:38=20+1200; bh=fNy/B32+t9JQDlG3VoIGz3YphaWLf/7pi0WtmSoN9PM=; b=I3FTiMsIqxVXOm06WUAXNlr1I6XSqdx4niEDRcoPv/UKL3ZN1GS5fXqt 3pVaaMXe2LH+oZRTGJ9WUiKGSgMLaXsj/l9y22Q689tNrz8R/FN1GicvP E73SJnKPTaJ6jIGzDCMiQxPBJIQRWADKez1KEElMa2lvdBRBGCKjhSAzc M=;
X-IronPort-AV: E=Sophos;i="4.67,286,1309694400"; d="scan'208";a="74802859"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 29 Jul 2011 18:26:39 +1200
Received: from ([]) by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <>) id 1QmgWs-00008Q-Ir; Fri, 29 Jul 2011 18:26:38 +1200
Received: from pgut001 by with local (Exim 4.69) (envelope-from <>) id 1QmgWs-0007h1-Q3; Fri, 29 Jul 2011 18:26:38 +1200
From: Peter Gutmann <>
In-Reply-To: <>
Message-Id: <>
Date: Fri, 29 Jul 2011 18:26:38 +1200
Subject: Re: [TLS] EU cards
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Jul 2011 06:26:41 -0000

"Blumenthal, Uri - 0668 - MITLL" <> writes:

>In US a lot (literally millions) of government email and Web access is secured 
>by what you call "government cards".

Ah yes, the common access card.  Let me tell you about the CAC.  A couple of 
years back, a bunch of us were in a taxi line at a hotel.  I was wearing a 
shirt that said something about PKI.  Someone behind us in the queue (who 
turned out in later conversation to be a mid-ranking US military person) asked 
what the shirt meant.  When we explained it (briefly), his response was "Oh, 
you mean like the CAC?  Man, that stuff SUCKS!".

As a member of our party later put it, "when random strangers stop you in taxi 
queues to tell you how much the technology sucks, you know there's a serious

This is why, in a previous message, I specifically asked for reports of 
European banking authentication from independent third parties and end users, 
not the people involved in deploying it.  As Anders points out, these are 
status projects, if you ask the people involved in the deployment then you 
always get the same response, "we have millions of them deployed, it's a great 
success".  You have to ask the end users to get a real picture of what's going