At 01:07 PM 9/17/2002 -0700, [EMAIL PROTECTED] wrote:
>As far as I know, banks assume that a certain percentage of their 
>transactions will be bad and build that cost into their business 
>model.  Credit and ATM cards and numbers are as far from secure as could 
>be, far less secure than somebody doing online transactions from a Wintel 
>machine on an unencrypted connection, let alone an encrypted one.  Until 
>somebody takes full advantage of the current system and steals a few 
>trillion dollars in one day, the problems are easier to deal with than a 
>solution.  Until that happens, there's no reason for banks to go through 
>the pain of dealing with or requiring Pd.
>
>-Jon Simon

note that EU finread standard attempted to address some of this. an 
external (secure, finread) token acceptor device with secure display and 
secure pin entry. The hardware token is used to "sign" the (financial) 
transaction .... PIN code is entered into the finread device and goes 
directly to the hardware token (w/o passing thru the PC). Critical pieces 
of the transactions passes thru the finread device on the way to the 
(signing hardware token) and is displayed on the secure display ... which 
then requires the PIN to be entered to confirm the transaction.

There is the issue of 3-factor authentication

* something you have (hardware token)
* something you know (pin)
* something you are (biometrics in addition to &/or in place of PIN)

besides the straight-forward use of signatures to authenticate the source 
of the transaction ... there is the nominal legal requirement associated 
with physical signatures ... i.e. did you intend to sign what you signed 
aka is what you "see" what you signed ... and do you confirm that you 
actually want the hardware token to sign what you "see".

A lot of digital signature seems to address the technology part of 
authentication ... and then sometimes (just because the term "signature" is 
used as part of the description of the technical procedure) that all 
technical implementations of the process referred to as "digital signature" 
is legally equivalent to "physical signatures" (even when no aspects of 
intention have been satisfied).

random past finread & intention posts:
http://www.garlic.com/~lynn/aadsm10.htm#keygen2 Welome to the Internet, 
here's your private key
http://www.garlic.com/~lynn/aadsm11.htm#4 AW: Digital signatures as proof
http://www.garlic.com/~lynn/aadsm11.htm#5 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#6 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#7 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#9 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#13 Words, Books, and Key Usage
http://www.garlic.com/~lynn/aadsm11.htm#23 Proxy PKI. Was: IBM alternative 
to PKI?
http://www.garlic.com/~lynn/aadsm12.htm#0 maximize best case, worst case, 
or average case? (TCPA)
http://www.garlic.com/~lynn/aadsm12.htm#19 TCPA not virtualizable during 
ownership change (Re: Overcoming the potential downside of TCPA)
http://www.garlic.com/~lynn/2000.html#0 2000 = millennium?
http://www.garlic.com/~lynn/2000.html#94 Those who do not learn from history...
http://www.garlic.com/~lynn/2000f.html#79 Cryptogram Newsletter is off the 
wall?
http://www.garlic.com/~lynn/2001f.html#39 Ancient computer humor - DEC WARS
http://www.garlic.com/~lynn/2001g.html#57 Q: Internet banking
http://www.garlic.com/~lynn/2001g.html#60 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001g.html#61 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001g.html#62 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001g.html#64 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001h.html#51 future of e-commerce
http://www.garlic.com/~lynn/2001i.html#25 Net banking, is it safe???
http://www.garlic.com/~lynn/2001i.html#26 No Trusted Viewer possible?
http://www.garlic.com/~lynn/2001j.html#7 No Trusted Viewer possible?
http://www.garlic.com/~lynn/2001j.html#46 Big black helicopters
http://www.garlic.com/~lynn/2001k.html#0 Are client certificates really secure?
http://www.garlic.com/~lynn/2001k.html#43 Why is UNIX semi-immune to viral 
infection?
http://www.garlic.com/~lynn/2001m.html#6 Smart Card vs. Magnetic Strip Market
http://www.garlic.com/~lynn/2001m.html#9 Smart Card vs. Magnetic Strip Market
http://www.garlic.com/~lynn/2001n.html#70 CM-5 Thinking Machines, 
Supercomputers
http://www.garlic.com/~lynn/2002c.html#10 Opinion on smartcard security 
requested
http://www.garlic.com/~lynn/2002c.html#21 Opinion on smartcard security 
requested
http://www.garlic.com/~lynn/2002f.html#46 Security Issues of using Internet 
Banking
http://www.garlic.com/~lynn/2002f.html#55 Security Issues of using Internet 
Banking
http://www.garlic.com/~lynn/2002g.html#69 Digital signature
http://www.garlic.com/~lynn/2002h.html#13 Biometric authentication for 
intranet websites?
http://www.garlic.com/~lynn/2002l.html#24 Two questions on HMACs and hashing
http://www.garlic.com/~lynn/2002l.html#26 Do any architectures use 
instruction count instead of timer
http://www.garlic.com/~lynn/2002l.html#28 Two questions on HMACs and hashing

--
Anne & Lynn Wheeler      [EMAIL PROTECTED],  http://www.garlic.com/~lynn/ 


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to