On 03/24/2009 02:25 AM, Ian G:
I haven't followed it in depth, but the primary way that the E.B.s have responded is to move their existing TAN system to a cellphone SMS (which the europeans call "handys", brits call them mobiles). A TAN is a transaction authentication number which is distributed on a paper sheet to users. When the transaction is finalised, the user types in a TAN taken from a supplied index like row,col, and crosses it out on the paper.
In other words OTP by mobile and SMS?
Ah. So, I see this is migrating to "use popular Internet RFC standards for security." The problem with this is that some of them -- like S/MIME -- are practically worthless whereas some of the non-RFC standard products like Skype are very secure.
Arrrg, we have been there already...but not going to repeat myself, instead I'm asking you, how would you secure email (since IM isn't the same thing really and different protocols/products are seeking different solutions, even within the IM family).
(Hence, today's subject line. What can we do to make client certs actually reach out and deliver to users? Today's task: solve the session problem.)
Haha...that's a good one... :-)
(I use S/MIME every day too, and over TLS. I also suggest that the other security people use it and be abused by it, maybe because I am a sadist :) Although not scientific, here are some results: within this one highly-motivated security community of around 20-40 people, I see about a 60% success rate in install + certificates, and something less than 10% success rate in delivered secure messages. E.g., worthless.)
It needs some coaching sometimes, but it certainly works...now I'm interested which improvements you would suggest (besides lets ditch S/MIME and use PGP).
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
