[Cryptography] So please tell me. Why is my solution wrong?
Thierry Moreau
thierry.moreau at connotech.com
Thu Feb 16 09:52:59 EST 2017
On 15/02/17 10:24 PM, John Levine wrote:
> In article <CACQRC431R7+vcZ9e7Cyyfc1riq9kKuPYy=9hCxwypZ_VcaRj0A at mail.gmail.com> you write:
>> Having dongles where you just press a button would be much
>> better, so don't tell me that they are available right now.
>
> They are available right now. I know this because I am holding two of
> them in my hand. One is a U2F key by Yubico, the other is a Plug-Up
> security key. They both implement an open spec from the FIDO
> alliance.
I wonder to which extent the "open" qualification actually applies (IPR
encumbrance, completeness of the specification, mandatory consortium
membership fees, ...).
> Physically, they're USB dongles that pretend to be keyboards and send
> a text string, when you push a button on the Yubico, or when you plug
> it in with the Plug-up. They are about the size of a house key and
> have a hole so you can put them on a keychain.
>
> I use one of them to secure my Google account. They work pretty well
> if you're using a computer with a USB port, not at all from a phone
> since there's no place to plug them in, and even with a USB to micro
> USB adapter, phone apps tend not to expect input from a physical
> keyboard.
>
> Then there's Google Validator, an app that runs on your phone and
> generates those six-digit codes. It's also an open spec, anyone can
> use it and many do.
Is "open spec" meaning no-fee download from Google-controlled appstore?
(I am not knowledgeable of mobile app development environment, but the
last time I checked, the basic required hardware was hard to procure
without developer licenses with too much -- seemingly -- innocuous
legalese.)
> My Validator app generates codes for my Amazon
> account, my Hurricane Electric tunnelbroker account, my Tucows
> registrar account, by Bitstamp account, my Synology disk server, and
> also my Google account.
>
> None of this is obscure.
All these services are controlled by remote entities. To some readers of
this list, those remain difficult to trust, and perhaps plainly obscure.
> It's all easy to find if you look for it.
Maybe it's available with some leap of faith in security techniques
implemented by those remote entities. However, trust backed by a
reasonable security review appears totally out of reach.
Regards,
- Thierry
More information about the cryptography
mailing list