I wouldn't dispute any of the arguments made in the original or subsequent posts on this topic pointing out that the programmatic interface to the device opens a security hole. But I think it needs to be said that this is only in the environment where trojans, etc., can infiltrate the machine. Acknowledged... this is probably in 99.99% of the applications.

But in defense of the product, there are server-to-server type applications that don't involve a human which wouldn't be able to provide this style of two-factor authentication without a programmatic interface. And without hardward-based security solutions for these types of systems, they are vulnerable to compromise of keys and secrets by administrators. With a little physical security and isolation from the types of use that put them at risk for trojans, etc., the security hole under fire doesn't really exist. These systems do gain more security... by providing a device that doesn't allow an administrator to walk away with the secrets.

Maybe server-to-server applications weren't really the intended market for this particular product, but the point is that you need to be careful with blanket criticisms.

Paul Zufeldt

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to