The Register revealed the scandalous behaviour of the Dutch promiscuous passports. Quickest description is on EC:
The secret key is made up of the passport expiry date, birth date and the passport number stored in the passport's Machine Readable Zone. The Dutch passport numbering scheme proves to be sequential and has a relation with the passport expiry date. Further, the last digit of the number is a checksum introducing additional predictability. The selection of a new and unpredictable passport numbering scheme would considerably improve the security.
Oops. History does not reveal how it is that the Dutch - normally a country steeped in deep privacy and cryptography that they run things like WhatTheHack where it was first announced - managed to make such a blunder.
One quibble. Adam goes on to say "The radio has no function." I think that's a bit tough to sustain. The point of using RFIDs and so forth comes from long hard-won experience. The experience pans out roughly like this:
From there, the decision to add smart cards to passports means they more or less had to include RFIDs. All experience points in that direction, and experience is everything in the smart card world (mostly because there is so little of it).
So the question then reduces to ... how applicable is mass transit experience to the passport issue? This might be considered to be the LAX factor - the answer is "quite a lot" if you've ever been stuck in a queue at a major US airport carefully calculating the time to the gate close on your connection.
Which does nothing to answer the next question: does the LAX factor - the benefit of radio-enhanced fast entry - outweigh the downsides? That seems to be the experiment that the various passport offices are intending to run on their captive subjects, so we will know for sure in about 10 years.Posted by iang at February 1, 2006 08:17 AM | TrackBack