On Tuesday 24 May 2005 20:52, Anne & Lynn Wheeler wrote: > for value infrastructures that are managing and administrating > relationships with tried & true established methodology ... then > certificate-oriented PKIs become redundant and superfluous ... as are > the stale static certificates themselves.
For just these reasons, many European banks experimented with different methods, many of them created their own download programs, some of them went with smart card trusted devices, and others with challenge response devices. I don't know what the current favourite is. For some reason that is obscure to me the continental banks (i.e., excluding the Brit banks, don't know about the Irish) take security seriously, and they must be sitting there worried sick about the viruses and machine takeovers as breaching everything. However, European banks are not beset with phishing as yet -- although the tempo is increasing. The US is where the issue is, and for the most part these are online websites protected by straight username / password access. Some of them are starting to roll out the C/R devices, but even then that's only a temporary defence, which will buy them a year +/- 6 months. What is more interesting is that US card associations are working as fast as they can on creating new tokens for credit cards, and on the surface once rolled out, they will significantly change the security equation, leading to a weakening of the SSL position. (Article to follow, lost in a broken MUA.) Talking about anything like proper mutual auth techniques is not going to be helpful simply because no bank is going to get into these techniques, instead a series of partial measures is going to be sold into the infrastructure, and no infrastructure provider is really going to do more than market these solutions, including those that are being marketed to. Which brings us back to .... SSL. The good news is perversely that banks are going to rely less upon it, potentially releasing the software base for general purpose protection (see writings on the confusion of goals). iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
