How to choose a smart card to buy

Are you planning to store more than one certificate ?

Manufacturers produce many kind of card. The kind depends if they must follow the requirements of their customer. For example PIV cards are made based on the US government specification. OpenPGP cards are based on the OpenPGP card specification.

PIV compliant smart card can store up to 3 certificates but only a few can be used for smart card logon. For example one is dedicated to physical access control. OpenPGP v2 card can store only one certificate and this certificate permits only the authentication (not the encryption).

Recommandation: if you do not have a requirement, purchase a manufacturer card. Yubikey does include a smart card support with PIV or OpenPGP applet: even if the drivers are present by default, you can store only a few certificates.

Does the manufacturer provide drivers ?

You should pay attention that the Windows driver is included. Some manufacturer requires the purchase of a software development kit (SDK). Some application requires a PKCS#11 driver (Firefox, truecrypt) and most of the provider do not include it for free.

PIV or GDIS cards have their driver included by default on Windows starting Windows 7. OpenSC includes a PIV PKCS#11 driver. The default PIV driver is readonly !

Recommandation: pay attention to the software package

Do you need really RFID ?

Cards can be sold in a bunch of package. Most of the package vary because the cards include a dual interface, meaning that they include a RFID to merge smart card and physical access control cards. The most common RFID interface are : NXP mifare or desfire, HID iCLass or Prox. These RFID interfaces do not allow the access of the smart card component over the air.

Please note than some smart card can have a RFID interface, but this require a share secret to initialize the communication. For example some PIV smart card can be accessed over RFID.

Recommandation: As today, having RFID does not add any value except if you plan to include PACS. And even in this case, we recommand to buy a single smart card for test WITHOUT this interface.