: It seems like you are oversimplifying
the problem space to an enormous degree. For instance, if
I present you with a valid cert, how do you know that it is
actually mine? If we have no pre-defined trust
relationship, you can't know. But then let's say we do
have a pre-defined trust relationship, and someone
identifying themselves as me with my cert tries to make
some kind of transaction with you. This requires you to
trust me in two very important (but distinct) ways: first,
you need to trust that I am technically competent enough to
keep my private keys to myself. And second, you need to
trust that I am reliable enough a person that I am not
going to give someone else my private key. It's not as
simple as saying "lets all get smart cards and make browser
plugins" - it is a rich and complicated area of research.
If it were an easy problem, it would be solved by now.
People have been working on this for a couple decades.
It's good to think about, but please realize that there is
a lot of hard work still to be done. And it isn't all just
technological. If you're aiming to have a solution to
counter Passport, there are a number of existing projects
to look into. I'm involved in the Internet2 web-iso and
Shibboleth projects, for example. I know that there are
many others. Just some food for thought.