fyi: bear/enforcer open-source TCPA project

[Peter Gutmann]

Rich Salz <rsalz at datapower.com> writes:

>Second, if the key's in hardware you *know* it's been stolen.  You don't know
>that for software.

Only for some definitions of "stolen".  A key held in a smart card that does
absolutely everything the untrusted PC it's connected to tells it to is only
marginally more secure than a key held in software on said PC, even though you
can only steal one of the two without physical access.  To put it another way,
a lot of the time you don't need to actually steal a key to cause damage - it
doesn't matter whether a fraudulent withdrawal is signed on my PC with a
stolen key or on your PC with a smart card controlled by a trojan horse, all
that matters is that the transaction is signed somewhere.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com