I concur with Martin, but would also like to mention that
two-factor authentication when deployed in phones (unlike in
PCs), combine convenience *and* security.
The problem with phones is that due to the platform diversity
an interoperable solution must be supported by the platform
vendor themselves in order to be usable for "the unwashed masses".
In addition, there are no suitable standards for provisioning´
and nothing in the works either. I just received an e-mail from
an NIST employee where he declared that secure mobile phone
authentication is out of scope for the USG as far as he can tell.
Anders
----- Original Message -----
From: "Martin Paljak" <mar...@paljak.pri.ee>
To: "mozilla's crypto code discussion list" <dev-tech-crypto@lists.mozilla.org>
Sent: Tuesday, July 21, 2009 14:31
Subject: Re: Do big parts of security in "mozilla" suck?
On 21.07.2009, at 15:04, Udo Puetz wrote:
> On 20 Jul., 12:04, Ian G <i...@iang.org> wrote:
>> On 20/7/09 09:18, Udo Puetz wrote:
>> The fact that hardware doesn't work in the retail / open / end-user
>> market which Mozilla is most famous for is more than annoying. It
>> creates a dead weight "opportunity cost". The solutions in the end-
>> user
>> market do not use hardware, and won't be implemented if they clash
>> with
>> the precious hardware model. So the end user is screwed again.
> IF you want to do encryption (e.g. online banking) you fast realise
> that you need two (or more) factor authentication. And one of those is
> a hardware dongle because the rest is in your head or in your
> biometrics.
> Sooo, more and more people WANT to use hardware tokens (also because
> they are fairly cheap nowadays).
> So there is a very substancial market there.
Here you get one thing wrong: people don't that much want to use
hardware tokens to log onto their online bank, but banks want you to
ease their pain caused by damages from identity fraud etc by requiring
smart cards and such. That's why they use force measures like in
Estonia - online transactions only up to 450USD or 320EUR with non-
hardware authentication. You can either use your eID card ("free") or
get an OTP pin calculator from the bank (10 EUR or so) to do bigger
transaction. If the country where the bank operates does not have
such a "free" infrastucture, I don't believe that they provide the
willing customers a way to use some hardware tokens they so much want
to.
The number of people who realize that they suddenly need two factor
authentication everywhere is ... really small. Hardware cryptography
have been this far IMHO driven by 4 sectors: defense/military,
healthcare, corporate, financial risk mitigation. In all the cases the
decision to use stronger-than-password things comes from top-down, not
the other way around, to protect the interests of "the system" rather
than the individual (except maybe healthcare, but I'm guessing it's
the smallest participant in this business as well). This is the way
x509 works - top down, not the other way around. This is also why
current PKI is broken in so many ways that do not fit the x509 model -
hierarchical, closed world system. One reason I never seem to get
along with people who talk about trust and end-user decisions in x509
setups where it just doesn't exist. The fun you get from "new trust"
is 0 if you happen to be color blind - you don't see the green thing!
It is not that easy to change it on global scale, it is much easier to
just rant about the situation :)
Basically the requirements for a user centric approach (where the end-
user has things to protect) does not meet the requirements that were
used to build currently existing solutions. You can piggyback what
exists now to give users a bit more control but for a different
system, "interconnected systems 2.0", much more is required.
--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
