In response to the interest indicated by the discussion on coderpunks/cipherpunks mailing lists, we have put a technical note about the Arcot key container ("software smart card") on our site at: http://www.arcot.com/camo2.html We would appreciate your comments. This note doesn't tell everything about our method--we *are* developing a commercial product, after all--but we hope that it will suffice to show knowledgeable readers our main ideas and convince them that a software key container that provides protection similar to that of a smart card is in fact possible. I should remark that: - Arcot key protection does not depend on making client-side software complicated or on keeping the algorithms secret. It depends on making it hard for an attacker to tell when he has cracked it, by keeping information that the attacker might use to identify the private key out of his reach (such as the public key). - Consequently, there are significant restrictions on the situations in which Arcot key protection works. For example: - It isn't useful for encryption. - It isn't good for stranger-to-stranger authentication. - It is good for authenticating yourself to your bank, an online merchant with whom you have an account, or to your employer. - Like smartcards, it provides two-factor authentication--you need to have the key container and know the password in order to authenticate. Its key protection is slightly weaker because it is easier to steal (just copy) a card without the theft being noticed. - Of course, the crypto has to be done in software. If your application warrants that level of paranoia, then maybe you really should be using hardware--but are you sure that your smart card is really signing the document you think it is? Most commercial applications don't warrant this level of paranoia. And hardware costs money. Regards, Doug Hoover begin: vcard fn: Douglas Hoover n: Hoover;Douglas org: Arcot Systems adr: 2197 Bayshore Rd;;;Palo Alto;CA;94303;US email;internet: doug@arcot.com tel;work: 650 470-8203 tel;fax: 650 470-8208 x-mozilla-cpt: ;0 x-mozilla-html: TRUE version: 2.1 end: vcard