remote-attestation is not required (Re: The bank fraud blame game)

John Levine johnl at iecc.com
Tue Jul 3 13:53:19 EDT 2007


>I do not believe the mentioned conflict exists.  The aim of these
>calculator-like devices is to make sure that no malware, virus etc can
>create unauthorized transactions.  The user should still be able to
>debug, and inspect the software in the calculator-like device, or
>virtual software compartment, just that installation of software or
>upgrades into that area should be under direct explicit user control.
>(eg with BIOS jumper required to even make any software change!)

In view of the number of people who look at an email message, click on
an attached ZIP file, rekey a file password in the message, and then
run the program in the file, thereby manually installing a virus, it's
way too dangerous to let users install any code at all on a security
device.

R's,
John

PS: Yes, they really do.  I didn't believe it either.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list