How Wavelynx Lead LEAF Aims To Break HID Access Lock-In

Executive *******

***** ******** *** ***** * ****** interoperability *************, ** ** ***** ******* dependent ** ******** ***, ** ***, has ******* *********** *******. ***** ** no ********** **** *** **** **** join ****, *******, *** **** ** truly ******* **************** ****** ******** (*** its ****), *** ****** ************* *********** need ** **** *** **********. ************, however, ****** ******* ************* **** **** reluctant ** **** **** **** *****, as *** ************ ******** *** **** to **** ***** ********** ****** *** proprietary.

**** ** ** **** ******** ************* for ******* ******** *********** **** ****** for **************** ******* ***** *** ****** own *** ***** ****** ** ***** credentials (********* *** **** ****** ***) or **** **** ************* ** ***** the **** **** ** ******* **** in ** **** ****** ******* ** the ****.

*******, ****** *** ************** ** ****, we ******** ************* ******** ** **** from *** *******, ********, *** *** of *** ********* ************,*********(*** **** **********, *** ******* *******), **** *** ****** ******* ***** "overselling *** "****************" ****** ** **** and ******** *** **** ** *** limitations ** **** **** *** *********** lead ** * ****** ****-** **** within **** (********, ********* ******** * workaround). ** ** *** **** ****** about **** ** ******** ***** ************* definitively, *** ** ******* ******** **** both ********* ******.

** *** *** ***** ** ********, there *** **** ** ******** ** LEAF *********** ****** ** ****, ***** on *** ******** **** ** *** from ******** ********* ************ *** "********" of ****-********** ***** **** (********* ** Wavelynx). ** *** ****** ******* ********, based ** ****'* *******, *** ******** is ****** ******* ** ******** *** its *** ******** (****** *** **** Abloy; *******, ***** ******* ** **** limited). **** ****** **** ************* (*** and ****) *** ********** ****, *** potential ****** *** ********* ** ******** down (*** *** *** *******, **** did *******, ********** *** ********** ****).

*** ****** ** ******* ******** ******* to ** ****, *******, **** ******** gaining ******** (******* **** ***, *** **** ****-** **** ******* ****),*** ****** ************, *** ****-** ***** * ****** pain ***** *** *********, **** *** scale *************. ** *** ***** ****, they **** **** ** ******* ***** recognition, ********* *******, *** **************** ****** competing *************.

Background

**** ** * ********-**** **** ******** specification ******* ** ******** ******* ************ "**********[*] *************, ******, *** **** choice ** ******** ******** *** ******** Architects, ** **** **** ******** ********** user *********** *** ******, ****, *** delightful," *********** ** ****'* *******.

**** ** *** ** ******* *** rather * ***** **** *** *** specification.

LEAF **. ****'* ****

***** ************ **** **** ********** *** **************** standard, ****, ***** *** *** *** same, ** **** ** ** ********** initiative ******** ****** ** ****** ***********, whereas **** *** * ********* ****** and ** * ******** ********** *************.

Wavelynx **. ****

***** ******** *** **** ***** *** same ******** *** ******** ***** ****** to **** ** *** *********, **** is ** **** ************* *** ** not ********'* *******. ************, ***** ** a *** ** *************** ******* *** two, ** ******** "**** ** ****** following **** *************", ** ********'* *** told ****:

******** ** *** ****. ** ******** goes ** ****** ********* *** **** specification.

No ********* *********, ****-********** *** ****-**********

****** ******, ** **************** ******** *** cameras, **** **** *** **** ** oversight *********, *** ** ** * self-validation *** ****-********** ********** (*** *** add ***** ******* ** *** ****'* "Partner" ******* ***** * ****** ** the ****).

*** ********** **** ***** ** **** Axis *********** ******** **. *******, ***** has * ******** ********* *********** ***** that******** ** *********(********* ****' ***********, **** ** ******, Bosch, ***.)

******** **** **** **** **** ** due ** *** **** **** ** an **** *************, *** ****** *** develop ** **; ***** ** ** need ** ****** ** ********* *********.

*******, * ********* *** ***** ********** often ******* *********** **** ** ****. LEAF ******** ********** **** ****** ** answer **** ** ****'* ********* ** how ********* ** *** **** ********* interact **** ***** ********* *** ***** the **** **** ****, *** **** companies ******* ****, ***.

Build ** *** ** ******* ***-*

**** ** * ************* **** ****** upon******* ***-*(** **** *** ******** ************* **** DESFire ***), ** ***-********* ** ********, as ** ********* ***** **** ****. ********* ****** ****, **** *********** work ** **** ** *** ** versions ** *****.

*** **** ********** ** ***, *** our **** ******* -*** *** ****** ******* *******.

*** ******** ** *** ************** ********** that *** ******* **** *** ****** because ** *** ********** ********+ ************* ************ *** *****-*********** *** *****-*** ********* allowing *** ****************, ** ******** ****:

*** [****] ********** ** ******* ** DESfire.We ***** * ******* ****, ******* ** *** ** ****+ ******, *** **'* *** **** **** **** *** **** **** ** ************* ** ******** ******** ************ **** ******** **** to give this interoperability for the industry. That's the reason we chose DESfire to begin with. [emphasis added]

** ***** **** **** ********* *** not ***** **** ** ******* ******* of *******, ******* ***:

***, ** *** ***, ****cross-functionality **** **** ** ***** **** *** *** *** ****** **** *** ****'* ***** *****. So, ** [*** ******** ** ****] ****'* ******** ***** ****. But with Ev2 and EV3, you have the ability to access a single application with multiple keys. This is what fundamentally created the opportunity. [emphasis added]

LEAF ** *** **** **

***** **** *** **** ******* *** the ****** ********* ************** *** *** standard ****** ******* **, ***** *** two ******** ** ****, **** ** and **** **, **** ****** ** credential ********, *** *********, ***.

** *****, **** ** *** ******* for * ******* **** **** *** want ** ****** **** *** **********, and **** ** (******) *** ******** for ************* ***-*****:

You **** *** ******* ** ** ** ** ****** *** *** **** ** ****** ** *** - ** ****'* **** **. So we defined [LEAF specification] [such that] an end user can have both, you can either decide to go down this **** ************* ***** ** ******** **** *** ****** ****, or just owning keys and a vendor manage keys on your behalf [i.e., LEAF Cc]. Or *** *** **** *** ** **** **, *** **** ***, *** ** *** **** ** ***** ***** *** *** ********** ****** ** ******

The ******* **** *****'* **** ** ****** ** *** ************* ** ********** ** ***** *** ***[*], that channel needs a solution. So [****] ******** ** ******* ** **** **; it does one thing and one thing only - it requires the manufacturer to issue devices properly. [emphasis added]

*** ******* ***** ***** *** ********* ******* ** *** **** ************* **** ********:

16 **** **** ********** ****** ****** ******* ****

*** **** **** ** *** **** Cc, *** ****** **** ****** ******* data ** ********* ** ** ****-**** keys **** *** ** ****** **** different ************* ** ***** ****************.

*** ******* ***** ***** *** ************ and ***** ******** ********* *** *** access ******* *********** *** * **** Cc ****:

****** ******** **** ********** *** **** card **** ****** * ****** ******** if * *** ** ***********, ** the ************/***-**** *** ****** *** ** hardware ** ****** *** **** ******* a ********* ***.

Key *********

*** ** *** ********* ****** ** LEAF, *** ********* ** ** ********* component *** ******** **************** ******* *************, LEAF ** *** **** ** ****** from **** ***** ** **** ******. IPVM ******** *********** ******** ** *** ownership **** ********* *** ********.

*** **** **** **** ** ** described ** * "********-*****" ****** *** confuse ****** **** ******** **** *** manufacturer **** **** ** **** - this ** **** ********* ****, ** LEAF ******* **** ******** **** ****.

** **** **, ** ****, *** customer **** **** *** ****** *** PICC *** ** ****-**** ****, *** in *** ** *******, *** **** master *** ** ***** ** *** manufacturer ***, ** ********'* ****, **** not ***** *** ********.

***** ********* ******** ******* ******** ** the ********* ** ** ****, *** company's ***,***** ****, **** **** **** ** **** (or "***** ****" ** **** ******** to ****) *** *** ****** **** customers *** *** "******* *** ******* on *** ******* **** *** *** the ******."

*********, ********'* ********* **** **** ***** Si **** *** *** ******:

** ****** *** ****** ********.It ** * ************ ******** ****** **** *** ** **** ** ****** **************** ****** * ************’* **** ******* ** ******* ***/** *** ** **** *** *** **** ******** ****. At Wavelynx, we use SI for our manufacturing keysets and are aware of many other manufacturers doing the same.

** ***'* *** **** ** **** as **** **** ** ******** ******** keys.They *** ******** ****************** **** *** *** **** ******. When they are used as end-user specific keys, Wavelynx supplies a credential and reader that support Leaf Si and the end-user can use Leaf Si for access with the above limitations [emphasis added]

Wavelynx's *** ********* *** **** **

******* **** ******** **** ****, *** company's *** **** **** ******* *** APIs, ********'* ********** ** ********* *** manifests ** ***** *********** **** **** assigned ** ****:

[An ***-****] **** * ******** **** **** **** **. And that manifest gives *** *** **** *** *** ****. So ** ** *** ****, *** **** * ******** ****** ** ***** *** **** ****. Any vendor can use that source of truth to read the card [emphasis added]

*******, ** *** *** **** ** confirm **** ***** ****-********* ************* **** provide ******* "*********," ** ******** ****:

[*] ** ** **** **** *** only ******** ***** ** [** ***-****] this ****** ***** [******** **** ****] for ** ***********?

[*]I ***'* **** *** *** ****** **** **. * ***'* **** *** *** ****** ******, because I don't interact at that level, I don't really pay attention. And frankly, I ***'* **** **** ****** **, because they don't share with the industry you are they do. [emphasis added]

**** **** *** ******* ******** **** Wavelynx's *********,****** *****:

Other ************* ** **** **** ***** *** ********* [own achieving interoperability with LEAF Si] thatwe ****** ********* ** due to it being an open standard. [emphasis added]

**** **** *** **** ****** ***** LEAF ** ** ******* ***** ********** from ******** *** *********.

Safetrust ******** **** *** ***

*********'* *** ***** **** ** **** are **** ****** *** ** *** manufacturers' *********, ******** **** ** ***** in **** *** "***** ***" ** compromised, ***** ** ******* ** ***'* non-Elite *** ********:

*** ** *** ***,generic **** ******* **** * ****** ******** *** ***** ** **** ****** *** ** ***** *********. This simplifies the distribution channel but means that exposure ** **** ***** *** **** ********** *** ********* ***** *** ***** ***. This is exactly the issue HID discovered in 2007 when their iCLASS key was extracted from the firmware in an old reader, promoting the introduction of the SE line with the secure element. [emphasis added]

******** ** *** ** * ******** LEAF ******may *** *** **** ***** *** ****** *** ** ***** ********* and supply cards where only the OEM knows the keys. This ** *** ******* ******** *** ******* *** *** ***-***** *** ***** (** ******* ***). A customer may request unique keys to their organization and the OEM will then have to work with the reader vendor to create keys, get Key loading cards/config files and then update the customers readers for specific keys to that customer -- similar to the HID ELITE key program. [emphasis added]

********, *******, **** **** **** ** the "********" ***** **** *** ** keys *** *********** (********** ** ******* its ** ** **), ******* *** roll *** **** ** **** *** connected ** *** ********** *** * secure **** ******* (**** *** *** ability ** **** ***** ** *******):

** *** ****unlikely ***** that (whether it's LEAF Cc or LEAF Si [it] doesn't matter), but let's, let's say all ** **** *** ***********. I can, for example, have ** ****** **** *** ****, so we do that today, and that is tested, I recommend the end user to have their reader be connected [via] OSDP. And they should, should be [on the] OSDP secure channel, and their controller should have the ability to push a file to the reader. As a result of that,you *** **** *** ******, ** ****, ** *** ** *********** ** *** ****. So you could have you could have a, let's say one month of operations in ***** *** ****** ***** *** * *** ***********, ** *** *********** ** *** *****, ** **** ***** ** ** *** ****. [emphasis added]

Requesting **** ** ****

** *** ** (******) ****, ********* can ******* ** **** **** *** manufacturer **** ******** ****, ** ******** told ****. ** *** **** ** Wavelynx, *** *** ** ** ******* a **** ** ***** *******, ** shown *****:

**** *****, ********* *** ****** ** be ***** *** *** ********** (***** Safetrust **********) ** ********* * ***** party ** ** ***** *********. ***** on *** ******** **** ** *** from ******** ********* ******** **** ****, only * ***** ******* ** **** end-users ****** ** ** ***** *** custodians, *** **** ***** *** *** manufacturer ** ** ***** *********.

Secure ******** ** ******* ** **** **

** ******** **** ****, ** ********* of **** ** ** *** ******** by * ****** ****, ** * result ** ***** *** ********** **** is ********** ********* *** ****** - this *** ** ******** ******* ****** the **** ****** *** *******, ***** is ***, ********* ** ********, *** PICC *** **** *** ***** *** Wavelynx *******.

**** ****** [********** ** ** *** access ******* ****]is ********** ********* *** ****** **** **** **. Okay, that's the advantage of LEAF Si, it ** ****** ** * ****** ****, *** ** * ****** ** **, *** **** *** ********* ** **********. That ********* ** ********** ** **** ********** ** ****** *** ****** **** **** ***********, meaning it is issued on the secure side. And it's not something that can be modified. That's what gives the assurance of uniqueness of the data.

The **** ****** *** ****** ***** **** ** ******* *** *******. Ever. Nobody knows it, nobody sees it. In fact, we don't know what it is andit's ****** ** ***** ****. So it's essentially non publishable, it cannot be extracted ... So that ****** *** ******** *** ********* ** **** *********** [emphasis added]

Interoperability **** ****

** ******* ****************, *** **** ********** the ********** **** *** ** ****** between *************, ********** ** ****'* ******* (LEAF ** ** **** **).

**** ******* *** ** **** *** an ***-*** **********, ** ******** **** IPVM. ********, ** ******** *** ******* OEM ********, *** **************** ******* **** is ******** ******* ********** ** **** during *** *************, ** ********'* ********* told ****:

**** ********, *** ************** ** **** SI,interoperability ** ******** ******* *** ***** ********* ** ***’* and enabling secure sharing for specific 3rd party products. These **** *** **** ******** ********* ** **** ** *************. In the event that they are not installed at time of manufacturing, products *** **** ******** ******* *** * ****** ******* ** **** with a secure package from Wavelynx. [emphasis added]

*********, ** ******* ******* ** *** LEAF **** ****:

***** ******* ********** ****** ** **** device *** ******** **** *** **** Si **** ** ***** ** ******** security ****** ****** ** * ****** LEAF ********.The **** ******* ******** *** ** *** ** ****-**** ** *** ****** ** ***** **’* ****** ** ******** **** *** ****** ******* **** (***). Each reader that reads the ACD is also required to verify it’s authenticity by computing their assigned CMAC. [emphasis added]

Open ****** ******* ** * **** **********

******* ** *** ****** ******* ***********, one *** ****** *** *** ************, for *******, *******, *****, ******* ******, etc., ** *** **** **** ***** its **** ****** *******, ** ******** said:

*** *** **** **** **** **** with * ***** **** ** ******* - *** **** *** *** **** on *** ******, *** **** *** output.You *** **** **** ****** *** ******* ** ** * ********* ******* ** *** **** ****** ** *** *** *** ****. So you can literally take a LEAF card and secure it with your own application. On top of that, you can add your own custom encoding, your own safe data room, if you will, your own compartment. There's ** ****** ***** ** ****** ****'* **** *** ******* ** *** *** ***********, whether ***'** ***** ******** ******* ** ******** **** *** **** ** ** ** *** ****. So you can add anything you want to LEAF card. So that's in the LEAF spec. [emphasis added]

***********, ** ********* **** *** **** not **** *** **** ****** *** to ** **, *** ****** *** encode *** **** **** **** ****:

*** **** *** ******* ** *** any *********** ** *** [**** ******* memory ** ***] ****, ******* *** rest ** *** **** ** ****. And ****'* *********.You ** *** **** *** **** ****** *** ** *** ** *********** [emphasis added]

[*] ** ** * ***'* **** a *** ** ****** **** **********, it ***** **** ***********, ****** *** encode ******** ** ** **********?

[*] ***

***** *** *** ****** *** *** applications *** *** **** ** * LEAF **********, *** **** **** ******* has ******* ********** ************ (***** **** the ****** ******* ***********), ********* "******", "Bio [**********]", *** "**** **********" ************, as *** ******* ***** *****:

******** ********* **** ***** **** ***** to **** *** ***** ** ********'* partners ******:

** *** ******we **** ******* ************ ******* on here is because we have the various partners ** ******** ******, "***, *** **** ************* *** ** ** **** ** **** ****". But other vendors that don't **** ********* ** *********** **** **** **** ***** **** *** ******* ** *** ***** *** *********** in what's called the Open memory section [emphasis added]

Potential ****-** ******** (**** **)

**, ** *** **** ** **** Si ************* ** *** ***** ***** keys **** ********* (** ******* ** be **** ** **** ** **** for **** ************) *** *** ********* manufacturer ** ****** ******* ******* ******** to ***** *** **** **** ***** manufacturers, * ****-** ********* ***** ******, as ********* **** ****.

**** **** ***** *** *** ********** to **** **, ** ********* **** full ******* **** *** ****.

********* **** **** **** ***** ********* can ****** ************ ** *** **** memory ******* ** *** **** *** vending, *****, ***., **** ****** ****** an ****** ******* ***********, ** *** LEAF **** *** **** **** *** app **** ** ** **** ** designated *** ****** ******* (******):

[*] ** **** ****** **** *** share **** **** ******* **** ******, is ***** * **** ****-**?

[*]My ****** ******* ** *** ***** ** ****** ** **** *******, because while it is true that if a card vendor leaves CreateApplication as “FREE”, they *** ***** ****** ** ****** *** **** ******* **** *********** ***, and therefore any new application they create is NOT per the LEAF spec e.g., you ****** **** *** ************ ** ** ****** ** *** **** ****.

****** **** ** ****** ** *** card, *** **** ****** *** ***** below **** *** *************

** ***** *** ***** *** **** other **** ** *** **** *** PICC ** ********* ***,you ***** *** ****** * ****** **** ********** *********** [*** ****** *******] ** *** **** ****. Thus the second LEAF reader could not read the card.

***** ******** *** *** **** ***** application ***, ** *** ********** **** the *******, **** ******** ******* **** an ***-**** *** **** **************** ******* readers ******* ********** ** **** *** incumbent ************ (***** **** ***** **** to **, ** **** *** *** have ****):

**'* **** * ****** ******, *****? So *** *** **** *** ****** cards, ** **** ******, ** **** NFC ******, *** *** *** *** two ****** ***** ** ********* **********. You **** *** *****, *** ** works **** *** ****** *****, **'* exactly *** ****. **you *** **** *** ***** **** *** *** ***** ** **** ** * ******** ******. And ***'* *** *** ****** **** **** ******** *****, *** *** **** ** **** ****** ** ******. *** *** **** * ********* *********** **** ***** ** *** **** ****** ** ******, *** *** *** ******* ***'* **** **** ** **** ** **** *****. I [Wavelynx] don't have to know that you're doing this. Right? You don't have to ask for my permission. You don't have to have a license, you just do it. [emphasis added]

**** **** * ******* ************** **** STid **** **** **** **** ** not ******* ****.

Creating ** *********** ******* ** **** ** ***** ****-**

***** ********* **** **** **** *** cannot **** *** ****** ******* ************ in *** **** *********, *** *** create ******* *********** ** *** **** level ** **** (******** ** ******** an *** ****** ****) *** ********* different ******* ** **** **** **** application - * ******* **** ** available ** ******* *****:

*** ***** ****** ** ******* *********** and ********* *** ****** ****** *** a ********* *****, *******, **** ******* the ******* ** *** **** *************.

***, ** ********* *********, **** ******* the ******* ** ****, ***** ******** native **************** ******* *************.

** ******* ** ** **** ** this ** * ******** **** ******** talked *****.

LEAF **. ***

** *** *******, **** ** ****** to ********* *** ******* ** ************ lock-in, ***** ** * ****** ******* in *** ********, ********* ***, **** dominates *** ** ****** ******* ******.

***'* ******** ***** ** ***** ** the **** **** ********* *** **** HID's *********** **** **** ******** **** has ***'* *** (****** ****** ******) in **, *********** ******** *** ****** of ************* *** ********* ** ****** from, ******* *** ****** *****, ******* machine, * ********* ****** ******* ****** for ***** ******** ******, ***.

****'* ****, ** *** ***** ****, can ** **** ** * ****** variety ** ** ******** ************* ** it ** * ********-**** ************* **** everyone *** ******* **. ********, *** open ****** ******* ** **** *********** provides ************* ** ****** **** *** applications, ********* **** ** *** ******** with ***'* ***********.

*** **** ********, *** **** *********** is *** ******* ** ******** **** NXP ******* ***********.

HID's ********

**** ******* *** ** *** ** their **************** ******* **** ********* ***** how *** ******* ****** ***** ****** SE *** **** *********** ** ** read ** ***-*** ******** *** **** (if ***) ************ *** ******* *** to ****, *** *** *** *** provide * *******. -

Tens ** ******** ** ***********

**** ********* **** ***** *** ***-**-*** tens ** ******** ** **** *********** deployed, ***** ** *** ******** **** we've ******** **** ******** *********:

(*) ******** ********* "**** ** ********" deployed *** **** ****** *** ************* and ********** ******** "******* *******" ** 2023

(*) ***** ******** "**** **** *** million"

(*) ********* ****** ** ** "*** largest **** ******* ** *** *****" and *** ******** *.* ******* **** credentials ** **** *** ***** ** deploy "***** ** ** *******" ** 2024

"Reached ******** ****" ** ** ******

********** ** *** ******** ****, ******** president **** **** **** ****'** ******* "critical ****" ** *** ** ******, historically ********* ** ***'* ********* (********* protocols ** *******, ***** **** ** based **):

We ********* ***** ******** **** *** *** ***** ******** ****** where through zero marketing zero, pushing this into a standard, it's, it's created its own ecosystem [emphasis added]

"About **" *************, "***** ** **** **" ***-******** ***

*** ** *** ****** ** ****-********** of ****, ******** "**** *** ****" the ***** ****** ** ************* **** have ********* ******** ** ** *********, however, ********'* ********* **** **** **** there *** ***** ** ************* ** the ********* (********* "**** **" ***-******** OEMs):

So ****'* *** ****** ** *** ************* **** *** **** ****** ** **** ** ***'* **** [*** ***** ****** ** ************* ********* ** ****]. ** **** ********* *********, like we initially began standing this up and then beginning to have people self-identify as, "Hey, I've completed this" ... If somebody says, "Hey, I've done this", they just simply say, "I'd like to add, and if you click [the button on the website], and it goes to a Contact Us". .. Just ** ** **** *****'* ***** ** ************* **** **** ********* ** ****. [emphasis added]

**** **** ******** * ****** ** Wavelynx ****, **** ** *****, *** non-Wavelynx ****, **** ** **** *****, Elatec, ***.

*** ******* **** ** **** ***** are "**** **" ***-******** **** (******** did *** ********* ** *** **** of ***** *** ****** ******* ****** manufacturers):

We *** ***** ** **** ** ************* **** *** *** **** using LEAF including print reader manufacturers, electronic lock manufacturers, access reader manufacturers, vending reader manufacturers, logical access manufacturers, datacenter lock manufacturers, physical credential manufacturers, and card printer manufacturers. [emphasis added]

*****.*** (* ******** ***) ** ** example ** * ******* **** ****** LEAF ************* ** *** ***** *** is *** ** *** **** *******.

HID *** **** ** *** ******* ****

*** ****** **** ************* ** ****** control ********, *** *** ****, ** not ******* **** *************, ***** ********** a ****** *** ****'* **** ********. Notably, ****'* ******** ** *****,***** ******, **** **** **** *** ******* could ****** **** **** ************** *** decided *** ** ****** ****:

STid **** *** ********* ******* **** ***********. We have explored the option and are fully LEAF compatible but as of now we are not adopting the credentials.

We **** **** **** ******** ******* *** *** ****** **** **** ************. We have just decided ** *** ****** **** **** as of now.

** ** **** ** ****, *** specification *** ******* ** ******** ****-*** created ** ******** *************, ********* *** and ****, ** ***** ******* **** would ** **********.

Other ******** **** ****

***** **** *** ************* **** ******** has **** ********* ** ** **** and ****** ******* ****************, ********* **** raised ******** **** **** ****** ***** able ** ****** *** **** ****** section ** * **** **********, *** actors *** **** ** **** **** without *** ************ ** ***-**** ******* it:

**** ***** ****ANYONE *** ****** * *** *********** *** ***** ** *** **** **** ** *** **** - just as Wavelynx has indicated to you. This **** ***** **** *** ***** ** *** **** ****** **** * ********* ****** **** ******* ** *** ** *** ***** ***** ** *** **** *** *** ***** ****** ****** ** [as the end-user don't have the PICC key in the Si case]. The card owner would also have no idea what has been put on their card - useful, garbage or unlawful.

This *** ** ********* **** * ****** '*****' ** *** **** ** * ***** ***** ****** ** *** ******* *****. The update is done in a fraction of a second. [emphasis added]

**** *** ** ********* ** *********, as ** ********** *** *********** ** creating **** (** *** ****** ** filled **** ********* ************) ** ****** apps **** ***** *********, ** *********'* CEO **********:

*** ******** ****** ***** $ *** buys ** ** **** ******* ** possibly *** ************ ** *** ******.A ********* ***** ***** ******* ** *** ** ***** *** ******** *** ***** ** *** *** ***** ** *** **** **** *** ******** ********* *** ****** ***. There is nothing the customer can do to stop or delete this unwanted application, further some unknown data now resides on a corporate identity card to which the company has no visibility. The only option to reset, is to throw the card away and start again, because the customer does not have the PICCMaster key. [emphasis added]

********* **** **** **** *** ************** of **** **** *** ***** ******* app ******** ********** *** **** ******* memory ** *** **** ****.

** ******* ** ** **** ** this ** * **** ****, ** we ** *** **** **** **** bad ****** *** *** **** *********** in **** *** ** *** ********** it ** ** ** ** **** LEAF *********** ******** ** ******** ************.

LEAF **** *** ******* "*** *******," **** *********

******* ***** **** ********* ******* ** to **** ** **** **** **** not **** **** ********* **** *** management *** **** *** **** ************* that **** **** **** **** "**** symmetric *** *******," ** *** *** Jason **** **** ****:

******* **** ****** ****** ** ********* keys, *** ********* ** *** *** ceremony *** *** *****-******* ** **** step ** *** ********* **** *********, how ** ** ********* *** ***** to ** ********* ***.

****** ****, **** ****** ** ******* [NXP *************] ** * **** **** model,but ******* * *** ********** ********* **** **** *** **** **** **** ******** *** *** ********** which is expected/required by InfoSecurity teams. This means, LEAF *************** ** **** **** **** *** *** **** ********* *** ******* ******* ** ***** **** ******** ***** ******* ** **********. The industry is evolving beyond the blind faith in a PACS vendor's "trust me we are secure" when generally they have little prior experience with information security or key management practices. [emphasis added]

** ****'* *******, *** ********** *** created ** ******* * ********* ***** of *** ****** **************** ******* *************.

Safetrust ******** ****, *** ******** ***** "***********" *** ************

********* **** **** **** ** ******** LEAF ** ** ***** ** ***** the ******* ******** *** ***** ***** being ******** **** *********** *** ************:

We ******* **** and other specifications like NXP’s equivalent AN10957 as they do *** ** ***** *** ******* ******** **** * ****** ****. I think we ****** **** ** ******** ***** *********** *** “****************” when there is not an independent certification process like there is for say SIA OSDP. [emphasis added]

Mixed ******** ** **** ***********

***** ***** *** **** ** ******** of *********** ********, **** ** *** a ****** ***** **********, ** **** received ***** ******** ** ***-***** ***** aware ** ****. ** *** ****, Brivo **** **** **** ********* ******* LEAF ** "**** **** **** ** [their] *************." ** *** ***** ****, however, *********, *** ****** ** **** the ******* **** ******* ** *** world, **** **** **** ********* **** limited ********* ** ****, *** *********'* involvement **** **** ** "* ***" that *** ************* **** ****** ****** adopted ** *** ******.

Improved ******* ******

****'* ******* ******* ** ********, ***** Wavelynx ******. *** *******, ** ***** says **** ********* **** ** ******** LEAF ** **** ("***-***** *** ****** to *** ***** *** **** *** or **** **** ******* ** * 3rd *****can ******** **** ** [emphasis added]"), something that was discontinued 3-4 years ago, as Wavelynx's president told IPVM. Additionally, it barely mentions LEAF Si, has outdated lists of partners and supporting products, etc.

** ******* ******* *** **** *********** the *********** ******* **** ** *** LEAF **, ***** ********* ***** *** initiative, *** ***** ***** ********.

Looking *** **** *********** ** ****

**** ** ****'* ***** ****** ******** LEAF, *** ** *** ******* ** learn **** ***** **** **********. ** you **** ******** ** *****, ****** reach *** ********@****.***. ** ******* **-***-******, ***-***-******, *** "on-background" (*.*., *** ********** ** ***) conversations.