remote-attestation is not required (Re: The bank fraud blame game)
John Levine
johnl at iecc.com
Tue Jul 3 13:53:19 EDT 2007
>I do not believe the mentioned conflict exists. The aim of these
>calculator-like devices is to make sure that no malware, virus etc can
>create unauthorized transactions. The user should still be able to
>debug, and inspect the software in the calculator-like device, or
>virtual software compartment, just that installation of software or
>upgrades into that area should be under direct explicit user control.
>(eg with BIOS jumper required to even make any software change!)
In view of the number of people who look at an email message, click on
an attached ZIP file, rekey a file password in the message, and then
run the program in the file, thereby manually installing a virus, it's
way too dangerous to let users install any code at all on a security
device.
R's,
John
PS: Yes, they really do. I didn't believe it either.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list