In other words, the
requested service would be under the control of the same authority
that emitted the credentials. This does correspond to
what happens in the of?¬‚ine world when we make a request of a
certain business, such as withdrawing money from an ATM. The
machine will verify our bank card and our PIN. Unfortunately, it
is a less-accurate model for scenarios in which our credentials
are more general purpose. You can show your ID to the police
of?¬?cer who is going to ?¬?ne you for exceeding the speed limits,
and you can show the same ID to that bartender in Minnesota
who needs to know if you??™re over 21. Although the former scenario
may involve use of a service that would be considered a
government asset, the latter scenario certainly does not. To bring
the paradigm back to the online world, a website representing
the of?¬?cer may have just checked the signature on your ID and
checked back on the government backend as to whether you
are entitled to drive, whereas the bartender website would only
be able to check that your credentials are actually yours and
Despite the different
form factor,
hard tokens have
the same certi?¬?cate
lifecycle problems
as smartcards
68 The Problem
emitted by a certain state.
Pages:
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132