You know, I swear I looked at this a few weeks ago and had a few problems with it, but I guess it seems like this could be workable. Not as robust as proper PKI as I'd like it, but I'm having a hard time remembering why I didn't like this before when I looked at it... Thanks for the link, I'll think about it more.
The ICs they use in passports support proper PKI, and are passive. I still have a ~300+ page spec for an Infineon IC commonly used in passports that I got under NDA, and I just don't think most uses call for such security/complexity.
It's important to note that originally the key difference between NFC and RFID was that the NFC-enabled phone was supposed to be able to fall back to power-less operation (inductive coupling) when the phone ran out of juice.
Phones that have put their NFC chip into card emulation mode for insecure communication (that doesn't require security via the SIM) can in theory still operate without the phone itself being on, the Nokia 6131 apparently did this. Since it was seen as a potential attack - nearly all phones with NFC now must be on, and the screen unlocked before the NFC radio is activated.
I didn't realize security was why they pulled that functionality. Back in 2007, I was using that Nokia phone as part of my pitch to parking meter companies and others in the parking industry (we were a startup company). None of us would have guessed that it would take this long for NFC to materialize, but it seems the credit card companies and cell phone companies are still arguing over who owns the customer.
