Another entry in the internet security hall of shame....
Ian G
iang at systemics.com
Mon Aug 29 15:06:04 EDT 2005
Anne & Lynn Wheeler wrote:
> the major ISPs are already starting to provide a lot of security
> software to their customers.
>
> a very straight forward one would be if they provided public key
> software ... to (generate if necessary) and register a public key in
> lieu of password ... and also support the PPP & radius option of having
> digital signature authentication in lieu of password checking
> http://www.garlic.com/~lynn/subpubkey.html#radius
Right. And do the primary authentication of the key
using some other mechanism that is outside the strict
crypto.
(IOW, Dave, your plan will work, as long as it is
built from ground up with no prior baggage! IMHO!)
This is such a no-brainer that when I first came
across the solution over a decade ago now, I never
gave a thought as to how it could be anything but
the one way to do things. It just works, and very
little else works anywhere as well.
Yet, we are still grubbing around like cavemen in
the mud. And then there is this:
http://www.business2.com/b2/web/articles/print/0,17925,1096807,00.html
$5M Mobile ID for Credit Card Purchases
WHO: John Occhipinti, Woodside Fund, Redwood Shores, Calif.
WHO HE IS: A former executive at Oracle and Netscape, Occhipinti is a managing director and security specialist, leading investments in BorderWare and Tacit.
WHAT HE WANTS: Fraudproof credit card authorization via cell phones and PDAs.
WHY IT'S SMART: Credit card fraud is more rampant than ever, and consumers aren't the only ones feeling the pain. Last year banks and merchants lost more than $2 billion to fraud. Most of that could be eliminated if they offered two-part authentication with credit and debit purchases -- something akin to using a SecureID code as well as a password to access e-mail. Occhipinti thinks the cell phone, packaged with the right software, presents an ideal solution. Imagine getting a text message on your phone from a merchant, prompting you for a password or code to approve the $100 purchase you just made on your home PC or at the mall. It's an extra step, but one that most consumers would be happy to take to safeguard their privacy. More important, Occhipinti says, big banks would pay dearly to be able to offer the service. "It's a killer app no one's touched yet," Occhipinti says, "but the technology's within reach."
WHAT HE WANTS FROM YOU: A finished prototype application within eight months. "I'm looking for the best technologists in security and wireless, the top 2 percent in their industry," Occhipinti says. The team would need to be working with a handful of banks and merchants ready to start trials, in hopes of licensing the technology or selling the company.
SEND YOUR PLAN TO: jco at woodsidefund.com
The funniest part of all is that even though we
know how to do it in our sleep, Paypal actually
built one as their "original offering" and threw
it away...
> at that point your public key is now registered with your ISP ... and
> possibly could be used for other things as well ... and scaffolding for
> a certificateless trust infrastructure.
Yup. But this will only work if you go back to
basics and build the structure naturally around
the keys. IOW, not using anything from PKI.
> lots & lots of past postings on SSL landscape
> http://www.garlic.com/~lynn/subpubkey.html#sslcert
Watching security thinking advance is like watching
primates evolve from close distance. Either we die
of old age before anything happens, or we get clubbed
to death...
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list