Gervase,
The ability to use a chip as holder of credentials for on-line
providers like Bugzilla is unlikely to happen in a major way until
there is an open solution for getting keys down into the
chip/container that is:
1. Usable by non-experts
2. Is secure in such a way that banks could use it
3. Doesn't require non-standard middleware or card readers
Some people believe that the PC form-factor is toast and that
all innovation in this space will be in iPhone & friends.
I, FWIW, still haven't given up adding such a facility to Firefox
but it sure isn't easy.
Anders
http://webpki.org/auth-token-4-the-cloud.html
Gervase Markham wrote:
Dear crypto-hackers,
Your thoughts on the following problem would be appreciated.
Goal: fix bug 570252. Provide 2-factor authentication for some Bugzilla
accounts.
https://bugzilla.mozilla.org/show_bug.cgi?id=570252
Sub-goal: do it in a way which doesn't involve purchasing or running
proprietary software.
General musings on these goals welcome. Here also are some specific
questions:
Q1) There is conflicting advice in that bug about whether a client
certificate-based solution can meet the requirement of "implement it
only for some accounts" (with the implicit requirement that it doesn't
bother or affect people who are not using it). Can a client certificate
solution be made to work?
Q2) If not, does anyone know of any commercial 2-factor systems which
can be implemented entirely with open source tools and software? (I'd
accept having to purchase closed hardware tokens.)
Q3) If not, can we do something smart like issue chip cards and leverage
the devices being shipped for the rollout of the Chip Authentication
Program in various countries?
http://en.wikipedia.org/wiki/Pinsentry
Q4) Or, could we do something in-browser or with a phone app, allowing
people to use their mobile phone as the hardware token?
Gerv
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
