Anne & Lynn Wheeler wrote:
the major ISPs are already starting to provide a lot of security
software to their customers.

a very straight forward one would be if they provided public key
software ... to (generate if necessary) and register a public key in
lieu of password ... and also support the PPP & radius option of having
digital signature authentication in lieu of password checking
http://www.garlic.com/~lynn/subpubkey.html#radius

Right.  And do the primary authentication of the key
using some other mechanism that is outside the strict
crypto.

(IOW, Dave, your plan will work, as long as it is
built from ground up with no prior baggage!  IMHO!)

This is such a no-brainer that when I first came
across the solution over a decade ago now, I never
gave a thought as to how it could be anything but
the one way to do things.  It just works, and very
little else works anywhere as well.

Yet, we are still grubbing around like cavemen in
the mud.  And then there is this:

http://www.business2.com/b2/web/articles/print/0,17925,1096807,00.html

$5M  Mobile ID for Credit Card Purchases
WHO: John Occhipinti, Woodside Fund, Redwood Shores, Calif.
WHO HE IS: A former executive at Oracle and Netscape, Occhipinti is a managing 
director and security specialist, leading investments in BorderWare and Tacit.
WHAT HE WANTS: Fraudproof credit card authorization via cell phones and PDAs.
WHY IT'S SMART: Credit card fraud is more rampant than ever, and consumers aren't the only ones 
feeling the pain. Last year banks and merchants lost more than $2 billion to fraud. Most of that 
could be eliminated if they offered two-part authentication with credit and debit purchases -- 
something akin to using a SecureID code as well as a password to access e-mail. Occhipinti thinks 
the cell phone, packaged with the right software, presents an ideal solution. Imagine getting a 
text message on your phone from a merchant, prompting you for a password or code to approve the 
$100 purchase you just made on your home PC or at the mall. It's an extra step, but one that most 
consumers would be happy to take to safeguard their privacy. More important, Occhipinti says, big 
banks would pay dearly to be able to offer the service. "It's a killer app no one's touched 
yet," Occhipinti says, "but the technology's within reach."
WHAT HE WANTS FROM YOU: A finished prototype application within eight months. "I'm 
looking for the best technologists in security and wireless, the top 2 percent in their 
industry," Occhipinti says. The team would need to be working with a handful of 
banks and merchants ready to start trials, in hopes of licensing the technology or 
selling the company.
SEND YOUR PLAN TO: [EMAIL PROTECTED]

The funniest part of all is that even though we
know how to do it in our sleep, Paypal actually
built one as their "original offering" and threw
it away...

at that point your public key is now registered with your ISP ... and
possibly could be used for other things as well ... and scaffolding for
a certificateless trust infrastructure.

Yup.  But this will only work if you go back to
basics and build the structure naturally around
the keys.  IOW, not using anything from PKI.

lots & lots of past postings on SSL landscape
http://www.garlic.com/~lynn/subpubkey.html#sslcert

Watching security thinking advance is like watching
primates evolve from close distance.  Either we die
of old age before anything happens, or we get clubbed
to death...

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to