The following is mainly directed to people working with mobile
devices although the issue of course also applies to PCs.
Recently I had an interesting conversation with a security technologist of
a major payment provider who had seen links to my SKS/KeyGen2 stuff [0].
He was quite concerned about how I intend to cope with "Key Misuse".
One solution is of course to lock-down the entire OS so that all applications
actually have been verified as trust-worthy [1]. Being a free spirit I find
such measures too restrictive and having a hampering effect on the market.
It also greatly reduces the ability to run in-house applications that simply
wont be sent for verification by a trusted third party.
However, the mentioned requirement is highly legitimate since an authentication
key is a door opener that should only be used by the actual key-holder.
Therefore I'm plotting with the idea that keys could (during provisioning)
be marked in such a way that a (trustworthy) OS could control that only
"granted" applications are allowed to use a key. My question (but probably
not the answer...) is really quite simple:
Is there any universal way to identify applications that has a
chance of working over the fairly wide range of operating
systems that we have today?
It is true that this fairly rudimentary scheme does not address traffic *inside*
of an authenticated VPN tunnel but that is "by design" because it is a very
complex
topic and is already addressed by other efforts like TNC (Trusted Network
Connect),
while there is hardly any work going on on the *consumer* side. The latter
is sort
of understandable since there is no paying customer to be found anywhere :-(
OTOH, it is a truly virgin territory with close to zero competition as well :-)
Thanx,
Anders
[0] http://webpki.org/auth-token-4-the-cloud.html
[1]
http://www.zdnet.co.uk/news/security-threats/2010/08/11/android-handsets-hit-by-first-sms-trojan-app-40089792/
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
