2010/4/21 Andreas Jellinghaus <a...@dungeon.inka.de>:
> well, if the token is a smart phone, it can display the pdf and show
> it to me, before I agree to sign it. thats my whole point: smart
> cards/ usb crypto tokens, even with pinpad readers, have this problem
> of not being able to display a pdf before I sign it. a simple nice
> personal, trusted device with a real screen and input system and
> security system build in could do that on the other hand.
> wait! I already have something like that, my mobile phone ...

A PDF document is not static but dynamic. The same document can be
displayed differently depending on external input (time for example).
So you may sign a PDF document displaying 100€ on your phone but the
bank will see the same document displaying 10,000€.

A PDF document is NOT static as an image. See a presentation at a
security conference [1]. The article and presentation is in French
sorry. The paper was previously presented at an English conference [2]
but I can't find the English article online.

Bye

[1] 
http://www.sstic.org/2009/presentation/Les_origamis_malicieux_en_PDF_contre_attaquent/
[2] http://pacsec.jp/pastevents.html

-- 
 Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to