Status of SRP
Anne & Lynn Wheeler
lynn at garlic.com
Sat Jun 3 09:01:57 EDT 2006
Florian Weimer wrote:
> FINREAD is really interesting. I've finally managed to browse the
> specs, and it looks as if this platform can be used to build something
> that is secure against compromised hosts. However, I fear that the
> support costs are too high, and that's why it hasn't caught on in
> retail online banking.
if they can build a $100 PC ... you think that they could build a
finread terminal for a couple bucks. sometimes there are issues with
volume pricing ... you price high because there isn't a volume and there
isn't a volume because you price high.
there is one issue missing from the actual FINREAD specification.
when we were doing X9.59 financial standard ... we allowed for a digital
signature for authentication as well as for a digital signature from the
environment that the transaction was performed in. the issue from a
relying party standpoint ... is what assurances do they have as to the
actual environment that a transaction was executed in. consumers could
claim they were using a FINREAD terminal when they weren't. counterfeit
FINREAD terminals could be out in the wild.
part of the x9.59 financial standard looked at the assurance/integrity
that a relying party might have with regard to the actual authentication
... one factor, two factor, three factor ... and the actual
assurance/integrity of the associated factors (or conversely, how
vulnerable were the factors to compromise). this somewhat led into also
having to consider the assurance/integrity environment that the
authentication took place in (and what assurances would a relying party
have with regard to the environment).
part of it has been some past inclination to just specify some standard
... w/o regard to how a relying party might actual have assurances as to
whether some standard or another was being followed in an open
environment (and considering threat scenarios that might involve
compromise/impersonation of various components).
for instance, there was a recent scenario in the UK where crooks were
impersonating maint. people and were updating secure POS terminals with
compromised components.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list