Confusion reigns over crypto vuln in Spanish electronic ID smartcards

Here's how it went

There are self-service machines at police stations to do card operations on e-ID cards. The police turned all the machines off then realised that older non-vulnerable cards issued prior to April 2015 could still be used with self-service machines. Only they can't turn them on again because of the newer vulnerable cards. So instead people with older cards have to book an appointment to see someone at the police station who will change the PIN for them or renew the certificate on it or whatever.

People with newer vulnerable cards will not be able to renew the certificate on it or change the PIN because the people at the police station won't let them. Also people who get brand new cards (e.g. every five years) will still get a vulnerable one and won't be given the PIN. link

And it seems people can still use vulnerable cards over the Internet, maybe because the there's one certificate to rule them all and if it's revoked then older non-vulnerable cards could stop working.

And the newer vulnerable cards also have another problem - when they are used to sign something, they don't certify the date it was signed, so the two vulnerabilities could be used together with online banking (if it supports it). link

However this will probably blow over because hardly anyone uses the e-ID feature of their ID cards, it means going to the police station anyway or spending hours persuading IE or Firefox and Java to work with a card reader and hoping it doesn't stop working if anything gets updated.

I was going to explain how to pronounce Dan Cvrček's last name. But then I realised that saying "just the way it's written" was not going to be all that helpful.

It means "cricket" (as in the animal) btw.