On Thu, Nov 16, 2000 at 09:40:01AM -0500, R. A. Hettinga wrote:
At 1:12 AM -0500 on 11/16/00, Declan McCullagh wrote:
Bruce's article is well-written, but it covers ground already well-trodden by others.
Certainly.
Carl Ellison, Perry Metzger, and even law professors like Jane Kauffman Wynn, have been saying this stuff for years.
Moreover, most, if not all, of his points apply to data-scrambling encryption applications on the same computer.
Yup.
But, frankly, you don't want to do commerce, especially finance, on a platform you don't have absolute control over, anyway. As Chaum and others point out, you want your own box, with its own I/O, and so on. Fortunately, falling hardware prices and miniaturization continue to accelerate apace.
What's interesting about this is that while everyone wants the added security from a device like this, no one wants to pay for it. I did a lot of the design for a secure smartcard keyboard that was produced a few years ago by a company called N*Able (bought last year by Wave Systems). It solved the problem of trusting the PC that you shove your smartcard into not to steal the PIN or sign something else or lie about what you're signing. Rather than having to trust MS (or linux) to protect your signing keys and what you're signing, you only had to trust our keyboard, which was designed from the beginning to be secure (while that's not perfect but it's a heck of a lot better than trusting MS, and good enough for commercial applications). However, in meeting with the US banking industry, we were told in so many words "this solves our security problems, we'd love to use it, but we want someone else to pay for deployment". The financial industry sees security problems not as something to be fixed, but as a cost to be borne. If the cost of the security breaks is less than the cost of the technology to fix it, or if the cost of security breaches can be passed on to someone else, there is no reason to put a security measure into place to fix the problem. I beleive that most financial systems in the US, operate on the second model (credit cards do by law- loss over $50 is eaten by the merchant or sometimes the issuing bank, to be passed back to consumers in higher prices). I think that the force that would distribute secure signing hardware in the US is profit- the hardware and the systems to support it would need to cost enough less than the fraud rate that there's a profit to be made off the difference. Unfortunately with this type of hardware, most of the cost is not in the hardware itself, but in the distribution, software and support. AMex seems to have discovered that with "blue"- there's no support for actual on-line payments. In fact the company that did the software, GlobeSET, recently folded. So now it's a regular credit card with a pretty gold-colored symbol on one side. The cost might have been worth paying for long-term customer acquisition, but it was a bust as far as fraud reduction and security is concerned. -- Eric Murray Consulting Security Architect SecureDesign LLC http://www.securedesignllc.com PGP keyid:E03F65E5