A system includes a portable information device and a computing unit, and is architected to enable the portable information device to identify its type and properties to the computing unit. The portable information device has a processor and a memory. The memory stores a device class tag which is indicative of a type of the portable information device. When communication is established between the portable information device and the computing unit, the portable information device sends an initial message which includes a result of a mathematical operation involving the device class tag. The mathematical operation renders it computationally difficult or infeasible to deduce the device class tag from the result so that the device class tag is not exposed from the portable information device. The result might be a hash value of the device class tag which is derived using a hashing function, or data that has been signed using the device class tag as a private signing key. The computing unit uses the tag-related portion of the message to identify the type of the portable information device. The computing unit has access to a record which correlates the hash value or complementary device class public signing key (i.e., the complementary version of the device class tag when used as a private signing key) with the type of device, as well as with the device's security properties and operating attributes. The computing unit cross-references the hash value or device class public signing key to determine the device type. The computing unit can be a certifying authority which issues a certificate confirming the identity and type of portable information device. The certificate is stored on the portable information device and presented thereafter to all communicating agents to identify the device type and attributes for transactions.