Hmm where do I start...
First off you are looking at to high a level when you start talking about "controled data security" with regards to "Privacy" with RFIDs.
It is not possible to secure them at the lowest level (unpowered state), against quite basic attacks like "present not present" even when they do not "data respond" to interogation under "User control" (can only happen in powered up state).
All RFIDs by their very core design respond to several different R.F. frequencies. The RFID needs to do this to gain sufficient power for the chip onto a small value capacitor. This is acomplished by a "tuned circuit" and a diode to rectify the R.F. current induced into the tuned circuit. The tuned circuit is usually a "large area" "pick up coil" and a resonating capacitor used to increase the "Q"uality of the coil giving a higher output voltage and also giving it a degree of selectivity.
You can determin various things about this tuned circuit like it's powered and unpowered "Q", it's charecteristic impedance curve against signal level and also it's harmonic reponse. All of this with equipment that would have been avaialable during the Second World War...
Worse due to the nature of the tuned circuit design it resonates at many frequencies right up into the lower end of the microwave band. The frequency response is sufficiently conistant from device to device in the same product, and sufficiently different from product to product that it could easily form the basis of an RFID type identifier or "Fingerprint"....
As long as the pick up coil has a load of some form (ie it does not have to be a capacitor) it can be detected simply by the effect it has on the R.F. "H field". Admitidly this is at very close proximity to the coil. Only when the loaded coil cannot see the "H field" will it not be detectable (i.e. sufficient screaning).
However, when you have the diode connected to the pick up coil and a load across it's output all sorts of interesting things happen (again irrespective of if the coil is resonated).
First off the circuit is no longer pasive, but active, the Diode has a characteristic that is very nonlinear and generates lots and lots of interesting harmonics. These can be examined fairly easily at a considerably greater distance.
When combined with variable frequency scanning a very very large amount of information becomes avaialble. All you require is some method to analyse the information and corelate it with a database of "known RFID pick up circuits".
At this point it is game over, and the RFID chip has not even powered up but it's prescence and type have been determined, the only unknowns left are on the RFID chip, which is where you start to talk about "User Control" but as I said this is only when the chip is powered up and correctly reset and you are not there yet...
So as the chip starts to power up another set of interesting things happen. It behaves in an aparently random fashion untill there is sufficient power for the chip to reset it's self correctly.
Well this "aparently random" behaviour is acompanied by R.F. radiation from the chip, This signal has certain charecteristics that again can be measured and guess what it can identify which batch the chip comes from. Also although random looking it is far from random and the chip is effectivly in a "temporary fault state" untill it has sufficient power to reset and start operating correctly.
Now whilst the chip is in the "twilight zone" the fun can realy start, do you remeber Differential Power Analysis?
Do you know what happens when DPA is coupled to "Power Fault Injection" in an RFID?
Well neither do most people simply because last time I looked nobody has seen fit to publish any significant data on it...
The only RFID DPA stuff I had seen used standard card readers and apparently only looked at the stable powered up state (looking for data leakage under normal operating conditions)...
What sort of secrets are going to leak in the "twilight zone" before the "User Control" becomes active?
Finaly the chip is powerd up and it has reset it's self to a "sane state" and it starts to execute it's code. What info does it leak before it gets to the "User Control" software?
Let us move on you actually have an RFID under your physical control that might contain data you are interested about
Have you heard about Pico Probe Fault Injection attacks?
They are like highly directed EMP attackes on individual areas of a chip.
What about Laser Fault Injection attacks?
The laser adds energy to individual transistors to flip bits in the CPU or other areas.
What about moduated R.F. Injection attacks?
Little written about these, but basically you use a low level R.F. signal, it gets envolope demodulated by components in or around the chip to produce offset voltages and signals to induce faults.
What about R.F. Remodulation attacks?
This is where you put the chip in an RF field and the functioning of the chip modulates the R.F. field. You pull the field of using an IQ demodulator and feed the info into a computer to mung the signal about in much the same way as with DPA.
Some of these attacks are still working against Smart Card chips, and I do not know of anybody trying them yet on RFIDs.
When and only When these questions have been answered and all of them designed out is it time to start looking at higher level security.
But wait ther is a problem, the CORE RFID design says RF Pick Up coil required, opps you can not design it out, and potentialy it can fingerprint the RFID...
Hmm are RFIDs secure by design then?
Answer = NO
Therefore are they fit for purpose when dealing with physical security such as "present not present" ?
Answer = NO
So on to your point A, you say,
"Absolute transfer of control without algorithmic predictability of keys/identifiers or trusted parties is essential here"
Ah it's not going to happen. Due to production line reliability issues the manufacture is always going to have a master override to put the RFID chip into an unlocked and sane state. Just like JTAG on complex IC's
With that resonable assumption, is the master override also going to wipe the contents of the mutable memory in the RFID. Probably not again due to reliability this time in the field. After all you don't want to lose the information in a UPS depot where it is used to route every package do you? Especially when it's some Script Kiddie Cracker doing a drive by...
Your point B, hmm not sure how you would do this in practice, but it is likley to add a hefty area of silicon and therfore cost on each RFID.
Your point C, I definatly agree, but will the U.S. Gov TLAs they want low cost and contactless technology in ID documents. They are very set on RFID and have effectivly forced it on the rest of the world. And more importantly the ball is already rolling quite quickly, who's going to be big enough to stop it rolling?
Your Point D, well if there is finacial gain to be made by fingerprinting RFIDs then it will happen as a natural consiquence, both commercialy and criminaly. The more money to be made the faster it will happen 8(
As you can see from above there are a large number of unanswered questions about the fingerprinting of RFIDs.
As for your E see ===paranoia=== below ;)
Are generic back doors actually back doors when they are for testing. Microsoft fell foul of the JTAG pin on one of its chips in the X-Box which supposedly enabled sufficient information for a hack to get past some of Microsoft's security features.
It is impossible to say what attacks will be profitable RFIDs are only just starting their life cycle they will be with us for 30+ years in one form or another due to the Passport requirment. Who knows what high value item they will get incorperated into, or used like a Smart Card as a security token to a high value DB etc.
With regard to ID, assume RFIDs are put into shirts jakets shoes etc for stock control. No apparent security issues there as far as a number of U.S. stores are concerned as they have already "rolled out" RFID systems. As the RFIDs need to be very very low cost as do the readers etc, there will be no features like rotating IDs etc.
Ask yourself as you pay with your credit/debit card at the check out if they are logging your Card ID against the RFID ID for "returns policy". Assuming they are how many RFIDS does it take in what you wear to reasonably identify you at every RFID scanner you pass?
Even if you think they are all deactivated there will be some you miss for whatever reason.
The problem as I higlighted above is that as long as the RF part of the RFID is working fingerprinting is possible and therefore attacks on the system will almost certainly follow.
The big problem with trying to set an agenda is nowing what it is you are trying to achive. With RFIDs the whole technology shouts "Unknown Exploitable Side Channel Attack Built In".
As has been observed on these blog pages in the past nothing is "fool proof" especialy when people doing system design do not have the ability to recognise their limitations. For instance the "Nike+iPod Sport Kit"
And now back to my senario for your point E,
A not worst case senario where several parts have already happened to people in the U.S. and it involves the use of RFIDs in a "stock tracking" role.
Take medication for instance do you care if I know you are carrying it. The answer in most younger peoples cases is probably yes.
So you invoke "User Control" and turn the RFID in the blister pack off, as work is touchy about drug usage (ie requires reporting of medications) and you find your condition difficult to talk about and more than a little distastful.
But I am for arguments sake your employer, I get a call from the Tecs to say that you have something on you that upsets the ID card reader for automatic door opening. And that it was caused by something in your jacket pocket that you did not want to take out or discuss with them.
All very suspicious, the obliging Tecs tell me that it is most likley an RFID which has "User Control" activated, as it excercises a bug in the scanner (due to it's failing the "Present not Present" test). The tec mentions he has seen it before on several occasions. I ask what the cause is and he says "In most cases pill packs where the user has turned the RFID off".
What do I do now ignore the issue (unlikley in this day and age). I decide to talk to you and you clam up and make me even more suspicious.
What next, do I get HR to ask you directly? Do I get security to give you a random search? Neither afterall after the little chat you are bound to know I told them to do it and you might sue hmm...
No I talk to the Tec again, he tells me he can find out what it is with a hand scanner. He scans you again to get the RFID charecteristics to get the manufacture / type / batch number info and looks it up in a Internet database. He sends me the URL of the result.
Oh look it's a drug called Amitryptiline, I look it up and see that it is used for "treatment of depressive illness of psychotic or endogenous nature". I see the word "psychotic" oh no what do I do after all I have a "Psyco" on the pay roll think of the "liability". You become an "outsourced unit of work resource".
Oh dear all you actually have is a bad case of nerve pain after shingles and the drug is a Tricyclic antidepressant most commanly used for this condition. Ah well you can always get another job or can you?
Who have I told, whose confidential employee screening database does it appear in that you where "Let go due to suspected mental health problems / instability".
You find you can not get work at the same level and you do become depressed and you find it difficult to hold down even low paid jobs due to reliability problems. You don't have medicare as you are unemployed and your depression gets worse. Now no employer will touch you as their health insurers say (confidentialy of course) employ him and we will significantly increase your premium.