I had a few comments from friends after my last posting on Adam Laurie’s attack on the UK Identity card. Many missed the point. The issue is not whether it’s possible to forge or modify an Identity card. It’s whether that forgery can be detected in circumstances where the risk becomes significant. You can’t determine that without a full knowledge of the controls that are deployed in each scenario in which it will be used.
Context is everything in the world of security. Just because something is possible, doesn’t mean that it will happen, or that the damage cannot be tolerated, contained or repaired. We’ve managed the risk of forged banknotes and passports for many years. Why should Identity cards be any different?