On 2012-08-02 22:16, David Woodhouse wrote: > On Wed, 2012-08-01 at 11:58 +0200, Anders Rundgren wrote: >> http://www.finextra.com/news/announcement.aspx?pressreleaseid=45624 >> >> Current platforms are useless for banking so what else could they do? > > The big problem with the VbV insanity wasn't the current platforms. It > was largely the user experience — a frame in the browser, where they > can't *tell* that it's actually from a trusted site; it appears in a > page that's on the "untrusted" merchant site. Into which you're expected > to type parts of your password. Any sane person refused to use it > anyway, surely?
True, but a fundamental problem still remains in the platform. If you use PKI instead of a password a fraudster doesn't get anything he/she can use to emulate the card-holder. However, consumer-PKI using the Mozilla platform is simply put unusable. When platform vendors get interested in a solution great things can happen: http://googlecommerce.blogspot.co.uk/2012/08/use-any-credit-or-debit-card-with.html That nothing of this kind happens in Mozilla PKI is because there is no business, not because they have bad or lazy engineers. I also think that the lack of hardware security limits the scope of the platform considerably. Intel has a role to play but I guess the bean counters say no :-( Anyway, the action isn't really here, it is there: http://googlecommerce.blogspot.co.uk/2012/08/use-any-credit-or-debit-card-with.html Google becomes a bank and you have your cards in their cloud! Lots of very useful security stuff as well. Anders > > VbV was just another case of banks actively *training* their customers > to succumb to fraud. Just like when they send non-S/MIME-signed email. > > I'm pleased to see it being phased out, at least in its current form. > > > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
