On Sun, Jul 01, 2007 at 08:38:12AM -0400, Perry E. Metzger wrote:
> [EMAIL PROTECTED] (Peter Gutmann) writes:
> > (The usage model is that you do the UI portion on the PC, but
> > perform the actual transaction on the external device, which has a
> > two-line LCD display for source and destination of transaction,
> > amount, and purpose of the transaction.  All communications enter
> > and leave the device encrypted, with the PC acting only as a proxy.
> > Bill of materials shouldn't be more than about $20).
> I've been thinking this was the way to go for years now.

Who hasn't?  Oh, I'm sorry -- I meant to say: who, outside of the
set of producers and consumers of security snake oil aimed at
financial institutions, hasn't?

Regular readers will recall the SecurID discussion of about a
year ago, when an individual who appeared to be a paid consultant
to RSA vigorously put forth the notion that secure devices which
required the user to actually do something to authenticate a
transaction were _not_ what was needed -- to the shock and awe
of most readers of, and writers to, the thread here, at least
as I would summarize the discussion.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to