[18332] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Another entry in the internet security hall of shame....

daemon@ATHENA.MIT.EDU (Ian G)
Mon Aug 29 15:23:11 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 29 Aug 2005 20:06:04 +0100
From: Ian G <iang@systemics.com>
To: Anne & Lynn Wheeler <lynn@garlic.com>
Cc: Dave Howe <DaveHowe@gmx.co.uk>, cryptography@metzdowd.com
In-Reply-To: <43133CE9.6010101@garlic.com>

Anne & Lynn Wheeler wrote:
> the major ISPs are already starting to provide a lot of security
> software to their customers.
> 
> a very straight forward one would be if they provided public key
> software ... to (generate if necessary) and register a public key in
> lieu of password ... and also support the PPP & radius option of having
> digital signature authentication in lieu of password checking
> http://www.garlic.com/~lynn/subpubkey.html#radius

Right.  And do the primary authentication of the key
using some other mechanism that is outside the strict
crypto.

(IOW, Dave, your plan will work, as long as it is
built from ground up with no prior baggage!  IMHO!)

This is such a no-brainer that when I first came
across the solution over a decade ago now, I never
gave a thought as to how it could be anything but
the one way to do things.  It just works, and very
little else works anywhere as well.

Yet, we are still grubbing around like cavemen in
the mud.  And then there is this:

http://www.business2.com/b2/web/articles/print/0,17925,1096807,00.html

$5M  Mobile ID for Credit Card Purchases
WHO: John Occhipinti, Woodside Fund, Redwood Shores, Calif.
WHO HE IS: A former executive at Oracle and Netscape, Occhipinti is a managing director and security specialist, leading investments in BorderWare and Tacit.
WHAT HE WANTS: Fraudproof credit card authorization via cell phones and PDAs.
WHY IT'S SMART: Credit card fraud is more rampant than ever, and consumers aren't the only ones feeling the pain. Last year banks and merchants lost more than $2 billion to fraud. Most of that could be eliminated if they offered two-part authentication with credit and debit purchases -- something akin to using a SecureID code as well as a password to access e-mail. Occhipinti thinks the cell phone, packaged with the right software, presents an ideal solution. Imagine getting a text message on your phone from a merchant, prompting you for a password or code to approve the $100 purchase you just made on your home PC or at the mall. It's an extra step, but one that most consumers would be happy to take to safeguard their privacy. More important, Occhipinti says, big banks would pay dearly to be able to offer the service. "It's a killer app no one's touched yet," Occhipinti says, "but the technology's within reach."
WHAT HE WANTS FROM YOU: A finished prototype application within eight months. "I'm looking for the best technologists in security and wireless, the top 2 percent in their industry," Occhipinti says. The team would need to be working with a handful of banks and merchants ready to start trials, in hopes of licensing the technology or selling the company.
SEND YOUR PLAN TO: jco@woodsidefund.com

The funniest part of all is that even though we
know how to do it in our sleep, Paypal actually
built one as their "original offering" and threw
it away...

> at that point your public key is now registered with your ISP ... and
> possibly could be used for other things as well ... and scaffolding for
> a certificateless trust infrastructure.

Yup.  But this will only work if you go back to
basics and build the structure naturally around
the keys.  IOW, not using anything from PKI.

> lots & lots of past postings on SSL landscape
> http://www.garlic.com/~lynn/subpubkey.html#sslcert

Watching security thinking advance is like watching
primates evolve from close distance.  Either we die
of old age before anything happens, or we get clubbed
to death...

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post