On Sun, Jul 01, 2007 at 11:09:16PM -0400, Leichter, Jerry wrote: | | | > > Given that all you need for this is a glorified pocket | | | > > calculator, you could (in large enough quantities) probably get | | | > > it made for < $10, provided you shot anyone who tried to | | | > > introduce product-deployment DoS mechanisms like smart cards and | | | > > EMV into the picture. Now all we need to do is figure out how | | | > > to get there from here. | | | > | | | > I'd suggest starting from the deployment, training, and help desk | | | > costs. The technology is free, getting users to use it is not. I | | | > helped several banks look at this stuff in the late 90s, when cost | | | > of a smartcard reader was order ~25, and deployment costs were | | | > estimated at $100, and help desk at $50/user/year. | | | | | | Of course, given the magnitude of costs of fraud, and where it may | | | be heading in the near term, the $50 a year may be well spent, | | | especially if it could be cut to $25 with some UI investment. It is | | | all a question of whether you'd rather pay up front with the | | | security apparatus or after the fact in fraud costs... | | | | It may be, indeed. You're going (as Lynn pointed out in another post) | | to be fighting an uphill battle against the last attempts. I don't | | think smartcards (per se) are the answer. What you really need is | | something like a palm pilot, with screen and input and a reasonably | | trustworthy OS, along with (as you say) the appropriate UI investment. | | You do realize that you've just come down to what the TPM guys want to | build? (Of course, much of the driving force behind having TPM comes | from a rather different industry. We're all happy when TPM can be | used to ensure that our banking transactions actually do what the bank | says it will do for a particular set of instructions issued by us and | no one else, not so happy when they ensure that our "music transactions" | act the same way....)
I don't believe that's so. The TPM guys want to add a variety of controls to extant PC designs to make them secure. I want to add a new device to the mix. | Realistically, the only way these kinds of devices could catch on would | be for them to be standardized. No one would be willing to carry one | for their bank, another for their stock broker, a third for their | mortgage holder, a fourth for their credit card company, and so on. | But once they *are* standardized, almost the same potential for | undesireable uses appears as for TPM's. What's to prevent the movie | download service requiring that you present your Universal Safe Access | Fob before they authorize you to watch a movie? If the only significant | differences between this USAF and TPM is that the latter is more | convenient because more tightly tied to the machine, we might as well | have the convenience. Fair questions. I'm sure I don't have answers. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]