The bank fraud blame game

[Hal Finney]

pgut001 at cs.auckland.ac.nz (Peter Gutmann) writes:
> (The usage model is that you do the UI portion on the PC, but perform the
> actual transaction on the external device, which has a two-line LCD display
> for source and destination of transaction, amount, and purpose of the
> transaction.  All communications enter and leave the device encrypted, with
> the PC acting only as a proxy.  Bill of materials shouldn't be more than about
> $20).

In theory the TPM was supposed to allow this kind of thing.  The idea
was that the OS would support secure applets that could not be molested
by legacy software.  Only such an applet would have access to your
payment information.  Some specialized, perhaps customized screen would
be displayed by the applet to get you to authorize the final transfer.

This was one of the main goals of the TPM as I understood the concept.
Unfortunately everyone got focused on the DRM aspect and that largely
torpedoed the whole idea.  Still we might see it eventually.  Research
in this direction is still going on, particularly in IBM's Integrity
Measurement Architecture[1] and some of the new security extensions to
the Xen virtualization software[2].

Hal Finney

[1] http://domino.research.ibm.com/comm/research_people.nsf/pages/sailer.ima.html
[2] http://xensource.com/files/xs0106_security_print.pdf , also
    http://www.hpl.hp.com/techreports/2007/HPL-2007-69.pdf

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com