Status of SRP
Florian Weimer
fw at deneb.enyo.de
Tue Jun 6 03:17:14 EDT 2006
* Anne & Lynn Wheeler:
> Florian Weimer wrote:
>> FINREAD is really interesting. I've finally managed to browse the
>> specs, and it looks as if this platform can be used to build something
>> that is secure against compromised hosts. However, I fear that the
>> support costs are too high, and that's why it hasn't caught on in
>> retail online banking.
>
> if they can build a $100 PC ... you think that they could build a
> finread terminal for a couple bucks. sometimes there are issues with
> volume pricing ... you price high because there isn't a volume and
> there isn't a volume because you price high.
The problem is not hardware costs, but support costs. You really
don't want to outsource this to the cheapest call center in the world.
Even relatively simple changes like the indexed TAN rollout are
rather expensive as a result.
> there is one issue missing from the actual FINREAD specification.
>
> when we were doing X9.59 financial standard ... we allowed for a
> digital signature for authentication as well as for a digital
> signature from the environment that the transaction was performed
> in. the issue from a relying party standpoint ... is what assurances
> do they have as to the actual environment that a transaction was
> executed in. consumers could claim they were using a FINREAD terminal
> when they weren't. counterfeit FINREAD terminals could be out in the
> wild.
You mean something like remote attestation? I find it hard to believe
that this capability is available today in a relatively open
environment, on a platform supporting multiple applications developed
by different applications.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list