Status of SRP

Anne & Lynn Wheeler lynn at garlic.com
Sat Jun 3 09:01:57 EDT 2006


Florian Weimer wrote:
> FINREAD is really interesting.  I've finally managed to browse the
> specs, and it looks as if this platform can be used to build something
> that is secure against compromised hosts.  However, I fear that the
> support costs are too high, and that's why it hasn't caught on in
> retail online banking.

if they can build a $100 PC ... you think that they could build a 
finread terminal for a couple bucks. sometimes there are issues with 
volume pricing ... you price high because there isn't a volume and there 
isn't a volume because you price high.

there is one issue missing from the actual FINREAD specification.

when we were doing X9.59 financial standard ... we allowed for a digital 
signature for authentication as well as for a digital signature from the 
environment that the transaction was performed in. the issue from a 
relying party standpoint ... is what assurances do they have as to the 
actual environment that a transaction was executed in. consumers could 
claim they were using a FINREAD terminal when they weren't. counterfeit 
FINREAD terminals could be out in the wild.

part of the x9.59 financial standard looked at the assurance/integrity 
that a relying party might have with regard to the actual authentication 
... one factor, two factor, three factor ... and the actual 
assurance/integrity of the associated factors (or conversely, how 
vulnerable were the factors to compromise). this somewhat led into also 
having to consider the assurance/integrity environment that the 
authentication took place in (and what assurances would a relying party 
have with regard to the environment).

part of it has been some past inclination to just specify some standard 
... w/o regard to how a relying party might actual have assurances as to 
whether some standard or another was being followed in an open 
environment (and considering threat scenarios that might involve 
compromise/impersonation of various components).

for instance, there was a recent scenario in the UK where crooks were 
impersonating maint. people and were updating secure POS terminals with 
compromised components.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list