Anders Rundgren wrote:

It seems that you don't believe much in technical solutions as enablers.

In fact I do. But still there are non-technical issues to be solved for which no technical solution exist. And I think that steadily inventing new standards is not a solution for establishing a technology (here cryptography in general).

Let me take a practical example. In the EU most on-line banks use two-factor authentication. The majority of these use OTP (One Time Password) solutions that definitely not are without cost as well as susceptible to phishing. In addition OTP is not terribly convenient for users but that is (of course) something the banks care a little bit less about. So why don't they use PKI instead?

There are several reasons for that. One was that if you want to use smartcards as key store for better security you have to install software and hardware on the user's system. Most times the smartcard "middleware" was quite buggy, sometimes it was simply unmaintained crap. Also the card software was not available for all the client systems out there (not everybody uses Windows). That's why e.g. HBCI never hit the mass market.

Currently it gets a little bit better with some crypto tokens.

But crypto tokens are not suitable for S/MIME encryption keys because of the growing key history needed. So one has to distinguish PKI-enabled applications.

Some people say it is because PKI is difficult and introduces legal and liability hurdles. IMNSHO this is total BS since a bank-local PKI isn't designed to work outside of the bank's domain.

I agree here.

PKI in such a setup is just another kind of password.

Hmm, here I disagree since a password, even when used like in Kerberos, leaves the user's system (directly or as shared secret) whereas a private key used for signing something during authentication never leaves the key store of the client's system.

So what is then real problem?
1. The European Smart Card industry who do not want to become suppliers of commodities.

???
Each time I talked to smartcard vendors they were keen on selling their stuff. The more the better.

2. Governments who believe that ID-cards and eID are natural combos in spite of the fact that USB and USB memory sticks are everywhere, while the traditional smart card interface is not. 3. Governments claiming that the use-case for physical IDs and eIDs are essentially the same 4. Governments that do not understand that their eID concept does not address more than a tiny fraction of their citizens' needs for authentication on the Internet
5. Governments investing in stuff like CEN 15480 and ISO/IEC 24727

Do you think banks care for governments at all? They don't!
I saw some banking PKI fail since they believed: We're big enough and we invent our own stuff which rules out everything else. They mainly suffered from internal politics and the DOT.COM blurb.

6. Governments pushing bizarre Bridge CA concepts

BTW: The Bridge CA in Germany was not invented by the government. IIRC the founders were a bank and a big telco company.

PKI for consumers will become bigger than OTP when PKI is housed in mobile phones although initially OTP will be used in mobile phones rather than by special-purpose devices.

I doubt that.

To achieve that we need a whole bunch of enablement technologies.
Most of the PKIX enrollment stuff will be obsolete in 5-10 years from
now

I'd never trust a system where the mobile phone vendor initializes a key to avoid an enrollment process. If you really plan to establish such a system be assured that I will fight against this.

The problems with mobile phone security issues are exaggerated and are also in no way cast in concrete.

On which planet are you living?

If the requirement is "perfect" security,

There's no 100% security. We all know that. But e.g. given the Bluetooth attacks I'm concerned of drive-by copying of private keys. And given the strange customizing of mobile phones by the telco companies my trust is even lower.

> we have to accept that nothing will happen.

Frankly I prefer having to deal with OTP when doing online banking over using my handy with some obscure key container initialized by a vendor on it.

Google's Android as well as Symbian 9.3 are not comparable to Windows which indeed has a broken security model.

But many security reviewers know a lot about Windows (and Linux and Mac OS X) in comparison to public knowledge about Android. So you can't tell at this time.

I don't expect a reply on this because it will anyway take some five
 years or so to figure out if the above is correct or not.

Well, mabye the problem is that I'm not as visionary as you are. ;-)

Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to