On 21.07.2009, at 15:04, Udo Puetz wrote:
On 20 Jul., 12:04, Ian G <i...@iang.org> wrote:
On 20/7/09 09:18, Udo Puetz wrote:
The fact that hardware doesn't work in the retail / open / end-user
market which Mozilla is most famous for is more than annoying. It
creates a dead weight "opportunity cost". The solutions in the end-
user
market do not use hardware, and won't be implemented if they clash
with
the precious hardware model. So the end user is screwed again.
IF you want to do encryption (e.g. online banking) you fast realise
that you need two (or more) factor authentication. And one of those is
a hardware dongle because the rest is in your head or in your
biometrics.
Sooo, more and more people WANT to use hardware tokens (also because
they are fairly cheap nowadays).
So there is a very substancial market there.
Here you get one thing wrong: people don't that much want to use
hardware tokens to log onto their online bank, but banks want you to
ease their pain caused by damages from identity fraud etc by requiring
smart cards and such. That's why they use force measures like in
Estonia - online transactions only up to 450USD or 320EUR with non-
hardware authentication. You can either use your eID card ("free") or
get an OTP pin calculator from the bank (10 EUR or so) to do bigger
transaction. If the country where the bank operates does not have
such a "free" infrastucture, I don't believe that they provide the
willing customers a way to use some hardware tokens they so much want
to.
The number of people who realize that they suddenly need two factor
authentication everywhere is ... really small. Hardware cryptography
have been this far IMHO driven by 4 sectors: defense/military,
healthcare, corporate, financial risk mitigation. In all the cases the
decision to use stronger-than-password things comes from top-down, not
the other way around, to protect the interests of "the system" rather
than the individual (except maybe healthcare, but I'm guessing it's
the smallest participant in this business as well). This is the way
x509 works - top down, not the other way around. This is also why
current PKI is broken in so many ways that do not fit the x509 model -
hierarchical, closed world system. One reason I never seem to get
along with people who talk about trust and end-user decisions in x509
setups where it just doesn't exist. The fun you get from "new trust"
is 0 if you happen to be color blind - you don't see the green thing!
It is not that easy to change it on global scale, it is much easier to
just rant about the situation :)
Basically the requirements for a user centric approach (where the end-
user has things to protect) does not meet the requirements that were
used to build currently existing solutions. You can piggyback what
exists now to give users a bit more control but for a different
system, "interconnected systems 2.0", much more is required.
--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
