Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-11-01 Thread Ian Grigg
Ben, > Ian Grigg wrote: >> It should be obvious. But it's not. A few billions >> of investment in smart cards says that it is anything >> but obvious. > > That assumes that the goal of smartcards is to increase security instead > of to decrease liability. On whether the goal of smart cards is t

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-11-01 Thread Ben Laurie
Ian Grigg wrote: Alan Barrett wrote: On Sat, 23 Oct 2004, Aaron Whitehouse wrote: Oh, and make it small enough to fit in the pocket, put a display *and* a keypad on it, and tell the user not to lose it. How much difference is there, practically, between this and using a smartcard credit card in

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-11-01 Thread Anne & Lynn Wheeler
At 10:29 AM 10/28/2004, James A. Donald wrote: Is there a phone that is programmable enough to store secrets on and sign and decrypt stuff? The ideal crypto device would be programmed by burning new proms, thus enabling easy reprogramming, while making it resistant to trojans and viruses. the

RE: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-11-01 Thread Trei, Peter
James A. Donald wrote: > R.A. Hettinga wrote: > > [The mobile phone is] certainly getting to be like Chaum's > > ideal crypto device. You own it, it has its own I/O, and it > > never leaves your sight. > > Is there a phone that is programmable enough to store secrets > on and sign and decrypt st

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-11-01 Thread Eugen Leitl
On Thu, Oct 28, 2004 at 09:29:21AM -0700, James A. Donald wrote: > Is there a phone that is programmable enough to store secrets > on and sign and decrypt stuff? Er, it has been a while since you bought a new mobile, right? About all of them have several MBytes memory, and run Java. Some Motorol

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-11-01 Thread R.A. Hettinga
At 9:29 AM -0700 10/28/04, James A. Donald wrote: >Is there a phone that is programmable enough to store secrets >on and sign and decrypt stuff? I think we're getting there. We're going to need a, heh, killer ap, for it, of course. :-) Cheers, RAH -- - R. A. Hettinga The Inter

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-28 Thread Anne & Lynn Wheeler
At 03:31 PM 10/25/2004, Ian Grigg wrote: :-) It should be obvious.  But it's not.  A few billions of investment in smart cards says that it is anything but obvious. To be fair, the smart card investments I've been familiar with have been at least very well aware of the problem.  It didn't stop th

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-28 Thread James A. Donald
-- R.A. Hettinga wrote: > [The mobile phone is] certainly getting to be like Chaum's > ideal crypto device. You own it, it has its own I/O, and it > never leaves your sight. Is there a phone that is programmable enough to store secrets on and sign and decrypt stuff? The ideal crypto device w

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-28 Thread dan
This is what I love about the Internet -- ask a question and get silence but make a false claim and you get all the advice you can possibly eat. OK, I (quite happily) stand corrected about why Microsoft bought Connectix -- it was cheaper given their extensive dependence on the Virtual PC product

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-28 Thread Peter Gutmann
[EMAIL PROTECTED] writes: >No need to buy a company just to use its product in your development shop. They're not "using it in their development shop", that's their standard development environment that they ship to all Windows CE, Pocket PC, SmartPhone, and XP Embedded developers (and include fr

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-28 Thread Roy M. Silvernail
On Sun, 2004-10-24 at 09:35 -0400, [EMAIL PROTECTED] wrote: > | [EMAIL PROTECTED] writes: > | > | >I'm pretty sure that you are answering the question > | >"Why did Microsoft buy Connectix?" > | > | The answer to that one is actually "To provide a > | development environment for Windows C

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-28 Thread Ian Grigg
Alan Barrett wrote: On Sat, 23 Oct 2004, Aaron Whitehouse wrote: Oh, and make it small enough to fit in the pocket, put a display *and* a keypad on it, and tell the user not to lose it. How much difference is there, practically, between this and using a smartcard credit card in an external reader

RE: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-28 Thread R.A. Hettinga
At 9:30 AM -0400 10/25/04, Trei, Peter wrote: >If we're going to insist on dedicated, trusted, physical >devices for these bearer bonds, then how is this different >than what Chaum proposed over 15 years ago? I don't think that face to face will be necessary. It just means keeping control of your

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-28 Thread R.A. Hettinga
At 10:41 PM +0200 10/23/04, Eugen Leitl wrote: >No, that's going to be the mobile phone. Certainly getting to be like Chaum's ideal crypto device. You own it, it has its own I/O, and it never leaves your sight. Cheers, RAH -- - R. A. Hettinga The Internet Bearer Underwriting Co

RE: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-25 Thread Trei, Peter
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Aaron Whitehouse > Sent: Saturday, October 23, 2004 1:58 AM > To: Ian Grigg > Cc: [EMAIL PROTECTED] > Subject: Re: Financial identity is *dangerous*? (was re: Fake >

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-25 Thread Ian Grigg
http://www.financialcryptography.com/mt/archives/000219.html [EMAIL PROTECTED] wrote: ... to break the conundrum Ballmer finds himself in where the road forks towards (1) fix the security problem but lose backward compatibility, or (2) keep the backward compatibility but never fix the problem. I th

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-25 Thread dan
| [EMAIL PROTECTED] writes: | | >I'm pretty sure that you are answering the question | >"Why did Microsoft buy Connectix?" | | The answer to that one is actually "To provide a | development environment for Windows CE (and later XP | Embedded)" (the emulator that's used for development

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-25 Thread Peter Gutmann
[EMAIL PROTECTED] writes: >I'm pretty sure that you are answering the question "Why did Microsoft buy >Connectix?" The answer to that one is actually "To provide a development environment for Windows CE (and later XP Embedded)" (the emulator that's used for development in those environments is Vi

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-25 Thread Eugen Leitl
On Sat, Oct 23, 2004 at 06:58:26PM +1300, Aaron Whitehouse wrote: > That would seem to me a more realistic expectation on consumers who are > going to have, before too long, credit cards that fit that description > and quite possibly the readers to go with them. No, that's going to be the mobil

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-25 Thread Alan Barrett
On Sat, 23 Oct 2004, Aaron Whitehouse wrote: > >Oh, and make it small enough to fit in the pocket, > >put a display *and* a keypad on it, and tell the > >user not to lose it. > > How much difference is there, practically, between this and using a > smartcard credit card in an external reader with

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-23 Thread Aaron Whitehouse
Ian Grigg wrote: James A. Donald wrote: we already have the answer, and have had it for a decade: store it on a trusted machine. Just say no to Windows XP. It's easy, especially when he's storing a bearer bond worth a car. What machine, attached to a network, using a web browser, and sending a

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-23 Thread dan
| > What machine, attached to a network, using a web browser, and | > sending and receiving mail, would you trust? | | I would suggest pursuing work along the lines of a Virtual Machine Monitor | (VMM) like VMWare. This way you can run a legacy OS, even Windows, | alongside a high securi

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-21 Thread "Hal Finney"
James Donald writes: > On 19 Oct 2004 at 21:30, Ian Grigg wrote: > > we already have the answer, and have had it for a decade: > > store it on a trusted machine. Just say no to Windows XP. > > It's easy, especially when he's storing a bearer bond worth a > > car. > > What machine, attached to a

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-21 Thread Ian Grigg
James A. Donald wrote: we already have the answer, and have had it for a decade: store it on a trusted machine. Just say no to Windows XP. It's easy, especially when he's storing a bearer bond worth a car. What machine, attached to a network, using a web browser, and sending and receiving mai

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-21 Thread James A. Donald
-- On 19 Oct 2004 at 21:30, Ian Grigg wrote: > (In fact, one seems to have failed in the last few days - > EvoCash - and another is on the watch list for failure - > DMT/Alta. Both of them suffered from business style attacks > it seemed, rather than what we would call security hacks.) To

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-21 Thread Ian Grigg
Hi John, John Kelsey wrote: Today, most of what I'm trying to defend myself from online is done as either a kind of hobby (most viruses), or as fairly low-end scams that probably net the criminals reasonable amounts of money, but probably don't make them rich. Imagine a world where there are a few

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-19 Thread John Kelsey
>From: Chris Kuethe <[EMAIL PROTECTED]> >Sent: Oct 13, 2004 1:15 PM >To: "James A. Donald" <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], > "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >Subject: Re: Financial identity is *dangerous*? (was re