Shawn Willden wrote: > On Thursday 23 March 2006 07:11, Carlos Henrique Bauer wrote: > >> What you are proposing means a developer must trust all the applications >> installed in the machines where its applications will run. That's a lot >> of trust. >> > > Mmmm, no. That's not what I'm proposing. You probably jumped into the > middle > of the thread and saw the problems I was complaining about, not my proposed > solution. > No. I am following this thread from the beginning. > My proposed solution would require the developer to trust users not to run > applications that misuse the card credentials. > > I think very few users have the knowledge and time to audit the source code (and compile it) or reverse engineer an binary application in order to know if it misuses the cards credentials. I suspect they have the expectation that the application they are using to sign email or access their online banking account will not allow their smart card to be hijacked by the nice solitaire game they just downloaded from the Internet. > What I want is for the middleware to provide a mechanism to ensure a card can > only be accessed by processes running under a given user account. > IMHO this is a good additional security measure but not a replacement for PCSC transactions.
Regards, Carlos _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
