The architecture of the handsets and the SIMs will, if this line of reasoning is correct, therefore form a constraint on digital identity in the mass market and it makes sense to have at least a big picture of that world. Let’s start with the SIM. The latest version of the SIM standard is known as Release 7. It is being reviewed by the Third-Generation Partnership Project (3GPP) and has been scheduled for approval soon. Release 7 incorporates a number of new technologies, not only NFC, and is a significant update to the standard. Still, it will take a while for handsets that comply with the new standard to get into the mass market so it won’t be until mid- to end-2008 that customers will have them, so there’s no point operators ordering them right now.
Within the handset, NTT DoCoMo and Sun Microsystems have begun work on the "Star Project" to refresh the mobile Java platform (which first appeared way back in 2001) for today’s more advanced handsets and applications. Java is already running on more than 700 million handsets worldwide (according to Ovum), but not all handsets run the same version. That’s standards for you. In practice, it’s an amazing hassle to develop decent Java applications because, as our guys know only too well, all of the operators and handset manufacturers have customised their Java environments. This means developers must often customize their Java applications, or "applets," for different handsets, creating extra work. Meanwhile, one of the most successful "versions" is NTT DoCoMo’s "DoJa" but it is only available to DoCoMo and its handful of overseas partners. There are other operator-specific platforms as well (Vodafone Group’s VFX and China Unicom’s UniJa) as well the MIDP (Mobile Information Device profile) platform which is sort of standardised but still varies. In essence, platforms such as DoJa have strict compliance which makes life better, but because there are many of them that makes life worse. No government is going to mess about with 200 different versions of an e-passport for mobile phones: therefore a common platform along the lines of MIDP but with more compliance (especially around anything that has an impact on security) is very desirable.
Bringing together identity standards and new SIM standards is the first step to delivering real digital identity in the mobile environment. This meme is now growing after years of hibernation. Take a look at the announcement by Turkcell, the main mobile operator in Turkey (with 30m subscribers), that it is going to implement PKI in its SIMs. The PKI solution is based on what we Europeans call "qualified" digital certificates (which basically means they have private keys that are stored in tamper-resistant hardware) from E-Guven, a Turkish CA, created under Turkish Digital Signature Law that is also in accordance with EU’s Digital Signature Directive. Turkcell’s scheme will allow users to perform secure online transactions through their handset, anytime, anywhere. From their mobile phone, home PC, or from an Internet café, the subscriber accesses, for instance, the banking site and enters their customer ID for login or giving a transaction order. The bank then sends an authentication request that prompts the user to enter the secret code they chose when they activated the mobile signature service, using their GSM phone. The SIM card then checks the secret code, creates the digital signature and sends it back to the bank to enable the corresponding transaction on the banking account. Note that on the operator’s activation request, the SIM card itself creates the secret keys and they are (presumably) never divulged. Turkcell is using Helsinki-based Valimo’s mobile signature service platform (MSSP) to deliver a mobile digital signature service to Internet banking customers of Akbank, Garanti, Turk Ekonomi, Turkiye Is and Yapi Kredi. Telefonica is launching a similar service for coporate customers. Why am I highlighting this example? Well, Valimo’s MSSP is used by the government ID centre in Finland: citizens can use either their government smart ID card or a mobile digital signature to sign in a variety of e-government applications such as tax returns and change-of-address. The client applications is pre-installed on SIMs, just as it ought to be in the UK in the event of anything approaching a modern identity infrastructure ever being assembled.
Now, this use of the technology isn’t especially new — Vodafone has had a similar application dormant in its SIM cards since 2002 — and I’ve long thought that it’s a rather obvious combination of technologies to deliver into the mass market, once the appropriate standardisation is there. Overall, however, the market has been developing slowly because of the complexity of co-operation between mobile operators, certificate authorities, SIM vendors, banks, merchants and everyone else. Perhaps the imminent new, sexy environment of the NFC phone running "New Java" with a Release 7 SIM will be the space to really break the deadlock.
One can easily envisage a near future in which citizens are given a boring old-fashioned dreary plastic ID card by the state but have the option of donwloading same into their phone for a few euros if they want to transact online. Not a bad vision. By the way, I’ve got a spare copy of David Edgerton’s super "The Shock of the Old: Technology in Global History Since 1900" on my desk here, so I’ll send it to you if you are the first person to reply on this thread.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]