Archives for posts with tag: smart cards

Ideally, a relying party that needs to verify certain attributes of a user would do so all by himself. However, in the new German eID system there are currently 7 so called eID service providers that handle this task on behalf of many relying parties. The Germans did this to allow service providers to quickly adopt the new eID system, because they can simply contract an eID service provider instead of implementing the functionality themselves. However, this creates a hotspot. For all users the eID service provider sees all attributes verified for all relying parties it services. The eID service provider is therefore in principle able to link a user to all the relying parties it visits, together with the relevant attributes. This appears to be a serious privacy risk. Or isn’t it?

Read the rest of this entry »

In a previous blog post I argued that identity cards should not be used to store anonymous credentials. The reason being that users may not believe that a card that is used to identify them in one context, can also be used anonymously in another. But last Friday, in a meeting with Martijn Oostdijk among others, I heard an interesting reason why anonymous credentials perhaps should be stored on an identity card anyway.

Read the rest of this entry »