On Sat, 19 Sep 1998, Ryan Lackey wrote:
[from a discussion of tamper-resistant hardware for payment systems on dbs@philodox.com, a mailing list dedicated to digital bearer systems, where Scott Loftesness, of DigiCash and Arcot Systems, mentioned ArcotSign.]
You mentioned the URL for Arcot, and I looked at the site. It seems rather lacking in technical details, and makes a very strong claim -- that it can provide tamper resistance in software on a hardware/OS/etc. platform which is generally hostile (a general purpose computer).
From the technical description of Arcot's WebFort technology at http://www.arcot.com/WebFort1.htm, the product sets up an encrypted and authenticated channel between the client and the server. You could use standard SSL with client certs to achieve the same result.
What concerns me are the other outrageous claims made on the site: o Conventional software solutions offering public key authentication, such as those from Microsoft, Netscape, and Entrust are no stronger than username/password mechanisms. [False. UID/PW's are subject to guessing. Client certs are not]. o ArcotCard is a tamper resistant software only private key storage system. [Anybody using the words "tamper resitant" to describe a software based solution is incompetent at best]. o ArcotSignTM technology is a breakthrough that offers smart card tamper resistance in software. Arcot is unique in this regard, and WebFort is the only software-only web access control solution on the market that offers smart card security, with software convenience and cost. [We have now entered deep snake oil territory. Claims that software affords tamper resistance comparable to hardware tokens are either based in dishonesty or levels of incompetence in league with "just as secure pseudo-ontime pads"]. In summary, based on the technical information provided by Arcot System, the product is a software based authentication system using software based client certificates. -- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred.