Smartcards are a interesting thing, they provide a number of valuable properties but most of the value comes from two of them:
1. Portability of credentials.
2. Secondary processor where cryptographic operations take place.
The portability of the credentials comes at a cost, one needs a means to "insert" the card into the device where it is going to be used; in traditional contact cards this requires a special reader to be associated with a pc which is expensive and limits the use of the credential to devices that have this reader.
Another problem is deployment of the cards, they are also fairly fragile (I go through one contact card a year related to damage) and are commonly lost and need to be re-issued.
A alternative exists that can still satisfy the two core goals above and doesn’t have the same limitations (at least to the same extent) as the traditional contact card.
What is it? Smartphone’s, they are becoming more and more common as devices get smart enough to be MP3 players, do calendaring and email they also become more powerful that any contact card out there.
In-fact the Microsoft based Smartphone’s have a port of the Windows CryptoAPI interfaces on them already, what this means is it would be relatively easy to build a Cryptographic Service Provider, Smartcard Module and/or CNG KSP for Windows that simply communicated with your Smartphone over Bluetooth to perform key cryptographic operations.
This solution wouldn’t be a appropriate replacement for the DoD Smartcard (no tamer resistance, tamper evidence, physical protection, etc) but would certainly be an appropriate replacement for weak passwords.
Once you have a Bluetooth pairing between your phone and your computer you would be able to use it to perform Mutually Authenticated SSL, PKINIT login into Kerberos systems (like Windows), sign email, etc. all with the entry of a PIN.
Development of such a creature wouldn’t be hard, all the technologies and samples exist it’s just a matter of stringing them together into a solution.
Just a thought.
Ryan