Smart cities.
When a single resident credential travels across transit, parking, library, recreation, parking-meters, and city services, the security architecture under it has to scale across a portfolio of issuers without leaking keys to anyone.
A city-wide credential, in practice
The DESFire application model fits this perfectly. One card, many applications, each with its own key set. Transit fares live in one application; library access in another; community-centre membership in a third. None of them share keys. A breach in one application does not propagate to the others.
The SAM model fits too. Different city departments can hold different SAM personalisation profiles — each owns their keys, none of them sees anyone else’s. The card is one credential the resident carries; the back office is several departments that never trust each other with their key material.
Designing a city-wide credential program?
The hard part isn’t the cards or the readers — it’s the inter-departmental key-custody model. Talk to engineers.