On Sunday 8. September 2013 18.56.29 Werner Almesberger wrote: > Paul Boddie wrote: > > If I had to guess what went on [in a smartcard-based e-banking > > access "calculator"] > > Yes, I think that's how they work. The "calculator" is just a shell > that provides the user interface and power. You still need to trust > it, but only to the point that it won't leak the PIN.
Right. > > Instead, it's a situation where an "official" body signs > > everything on your behalf, ostensibly because you logged in to their > > service at some point and said you wanted to do something. > > Is this actually how they do it ? I would think they merely provide > an electronic statement saying that user X has asked us to to Y, > certified by the respective authority that makes the statement. According to the following description of one such system, they do the signing on your behalf: "The code unit for a bank-stored BankID is often mistaken for a BankID, but a BankID is an electronic certificate centrally stored with Nets." https://www.bankid.no/Dette-er-BankID/BankID-in-English/This-is-how-BankID- works/ Apparently, the above system is also implemented by storing the "security elements" in a mobile phone's SIM card, which I imagine approximates to a smartcard situation. > Well, the difference may be more legal than technical in the end. Getting banks to admit screwing up is quite a challenge, in my experience. > > Perhaps I should look around for > > similar gadgets to the one you propose. > > It's always good to know what the competition is doing :) I did manage to find this: http://ob-security.info/?p=631 Paul _______________________________________________ Qi Hardware Discussion List Mail to list (members only): [email protected] Subscribe or Unsubscribe: http://lists.en.qi-hardware.com/mailman/listinfo/discussion
