On Tue, Aug 03, 2004 at 03:36:45AM +1200, Peter Gutmann wrote:

G&D produce (or help produce) things like banknotes and passports (and have been doing so for more than a century), the secrecy comes with the territory.

I have no smart card background, unfortunately. I've heard G&D ignores requests from open source developer people, though. Are keywords like STARCOS SPK2.3 (Philips P8WE5032 chip), ITSEC E4 certification (with StarCert v 2.2.) etc. associated with a good security track? Features * ISO/IEC compatible * Secure messaging * Hierarchical ISO file system * DES, 3DES * State machine * Logical Channels support * Deletion of files (EF) and applications (DF) * Enhanced hardware security * High performance * Implementation of various access controls (authentication) * Data encryption with asymmetric RSA keys up to a key length of 1,024 * bits * Generation and verification of digital signatures with RSA and DSA * On-card RSA key generation up to a key length of 1,024 bits * The digital signature application StarCert is ITSEC E4 high certified STARCOS SPK2.3 is available on a Philips chip with 32 kByte. Symmetric (DES, 3DES) as well as asymmetric (DSA, RSA) cryptograhic methods are supported. For further information please contact: Industry & Government Team Phone: +49 (0)89 4119-1957 Fax: +49 (0)89 4119-2802 indgov.cards@de.gi-de.com -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

On Tue, Aug 03, 2004 at 03:57:02AM +1200, Peter Gutmann wrote:

Nothing you can't get from a pile of other vendors who will actually talk to you. Unless you've got some business reason to deal with them, I wouldn't bother (I have nothing against them per se, they just do business in a way that isn't useful to me... and I'm sure they think the same of me).

I'm just investigating alternative uses for stuff I already need for HBCI (a kraut homebanking standard). The state of the art (especially for open source smart card support) looks pretty rudimentary. The Dell Smart Card keyboard I've got has some CCID drivers which run under Win2k but refuse XP, and this thing isn't yet properly supported by the Muscle folks or libchipcard2. We're not even talking about higher order functionality yet (RSA and 3DES), just dumb data store. Gnucash on Fink doesn't seem to support HBCI at all yet, not even mentioning smart cards. What's weird is that the banks aren't pushing this to the customers (readers are somewhere between 50 and 100 EUR, and the cheapest RSA card some 13 EUR). The phishing issues aren't yet painful here apparently, due to predominance of PIN/TAN (the dead tree variant) in online banking. -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]