Re: the limits of crypto and authentication

2005-07-13 Thread R.A. Hettinga
At 2:48 PM -0700 7/12/05, Bill Stewart wrote: It'd be nice if good crypto and authentication methods could create a market for improved products It can, it does, and it's called significantly reduced risk-adjusted transaction cost in financial econ-speak. Maybe the marketing droids need to come

Re: EMV

2005-07-13 Thread Anne Lynn Wheeler
... the original introduction of HK octopus transit card used the sony flavor of iso 14443 with 10cm and transit requirements of transaction in 100ms. having it in the bottom of a bag and bringing the bag within 10cm of the reader does the trick. there was a transit meeting where the mondex

Re: ID theft -- so what?

2005-07-13 Thread J
--- John Denker [EMAIL PROTECTED] wrote: [...] It's only a problem if somebody uses that _identifying_ information to spoof the _authorization_ for some transaction. [...] Identifying information cannot be kept secret. There's no point in trying to keep it secret. Getting a new SSN

Re: ID theft -- so what?

2005-07-13 Thread Perry E. Metzger
John Denker [EMAIL PROTECTED] writes: My point here is that knowing who I am shouldn't be a crime, nor should it contribute to enabling any crime. Suppose you know who I am. Suppose you know my date of birth, social security number, and great-great-grandmother's maiden name. As Spike said,

mother's maiden names...

2005-07-13 Thread Perry E. Metzger
A quick question to anyone who might be in the banking industry. Why do banks not collect simple biometric information like photographs of their customers yet? If I walk into a branch complaining that I've been robbed and that I don't have my bank card any more, the branch manager will look at

Stuart Baker, ex NSA general counsel, gets Homeland Security post

2005-07-13 Thread Perry E. Metzger
://www.whitehouse.gov/news/releases/2005/07/20050713-8.html The President intends to nominate Stewart A. Baker, of Virginia, to be an Assistant Secretary of Homeland Security (Policy). Mr. Baker is currently a Partner with Steptoe Johnson, LLP in Washington, D.C. He previously served as General Counsel

UK EU presidency aims for Europe-wide biometric ID card

2005-07-13 Thread Anne Lynn Wheeler
http://www.theregister.com/2005/07/13/uk_eu_id_proposal/ UK EU presidency aims for Europe-wide biometric ID card The UK is using its Presidency of the Council of the European Union to push for the adoption of biometric ID cards and associated standards across the whole of the EU. In a proposal

Re: mother's maiden names...

2005-07-13 Thread R.A. Hettinga
At 12:26 PM -0400 7/13/05, Perry E. Metzger wrote: Why do banks not collect simple biometric information like photographs of their customers yet? Some do. Cambridge Trust puts your picture on the back of your VISA card, for instance. They have for more than a decade, maybe even two. Cheers, RAH

Re: ID theft -- so what?

2005-07-13 Thread Derek Atkins
Quoting Perry E. Metzger [EMAIL PROTECTED]: So, rephrasing, the problem is not that secret information isn't a fine way to establish trust -- it is the pretense that SSNs, your mom's birth name or even credit card numbers can be kept secret. Identifying information cannot be kept secret.

Re: ID theft -- so what?

2005-07-13 Thread Matthew Byng-Maddick
On Wed, Jul 13, 2005 at 12:15:48PM -0400, Perry E. Metzger wrote: John Denker [EMAIL PROTECTED] writes: My point here is that knowing who I am shouldn't be a crime, nor should it contribute to enabling any crime. Suppose you know who I am. Suppose you know my date of birth, social security

Re: mother's maiden names...

2005-07-13 Thread Dan Kaminsky
A quick question to anyone who might be in the banking industry. Why do banks not collect simple biometric information like photographs of their customers yet? Bank Of America put my photo on my ATM card back in '97. They're shipping me a new one right now, so I assume they kept it in

[Clips] As Identity Theft Moves Online, Crime Rings Mimic Big Business

2005-07-13 Thread R.A. Hettinga
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Wed, 13 Jul 2005 12:54:49 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] As Identity Theft Moves Online, Crime Rings Mimic Big Business Reply-To: [EMAIL

Re: Attack on Brands blind signature

2005-07-13 Thread Christian Paquin
cypherpunk wrote: eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several blind signature schemes, including one widely discussed on the Cypherpunks mailing list back in the 1990s by Stefan Brands. The paper seems to show that it is possible for the bank/mint to recognize blind

Re: ID theft -- so what?

2005-07-13 Thread John Denker
On 07/13/05 12:15, Perry E. Metzger wrote: However, I would like to make one small subtle point. ... the use of widely known pieces of information about someone to identify them. Yes, there are annoying terminology issues here. In the _Handbook of Applied Cryptography_ (_HAC_) -- on page

Re: ID theft -- so what?

2005-07-13 Thread Dan Kaminsky
This is yet more reason why I propose that you authorize transactions with public keys and not with the use of identity information. The identity information is widely available and passes through too many hands to be considered secret in any way, but a key on a token never will pass through

Re: ID theft -- so what?

2005-07-13 Thread Perry E. Metzger
Dan Kaminsky [EMAIL PROTECTED] writes: This is yet more reason why I propose that you authorize transactions with public keys and not with the use of identity information. The identity information is widely available and passes through too many hands to be considered secret in any way, but a key