No SMartcards are just a password verification, only remotely at user locaiton. Almost all the rest of the smarts goes into having the smart card tell the server that password verification passed. What good is that?
I'm not sure the CA are all that useful with revocation lists. The multiple US government CA/PKIs now have CRLs that reportedly take up to 14 minutes to process in a PKI-using client - a bit of a mess when you've a few dozen emails to verify every day.
Distributed revocation is a bad thing. Just like DNS - PKI is distributed revocation since every user/client must do their own revocation status checking - imagine getting a DNS record for a web site once, then always trusting it to be accurate?. Every PKI-protected message/session should be checked for revocation status - that's the benefit of centralised revocation/user management (and it's waaayyyy cheaper to operate). lyal
I think this PKI-edness of VOIP is basically silly. I can receive a phone call, or make one at any PSTN phone. With PKI based VOIP, I can only answer the phone, or make calls, from a single machine. Why remove that level of flexibility just to cut out the telco?
A better idea might be to secure the link to the IP-based switching centre, and let their directory service manage the link to the remote end, including confidentiality, authentication and so on. Sounds a lot like a telco to me.
The issue is that treating the problem of security at 2 levels (network and application) is flawed - each specialist area thinks the other is doing everything.
The real goal OMHO is to dumb down the need to network security (i.e. stick to firewalls, routing controls and simple protocol checks) and boost security at the application messaging layer.
The 3As (authentication, authorisation, accountability), confideentility, integrity and content inspection/management are a must. SSL, SSH and VPNs et al don't enable any of these attributes at the application layer.
For those wishing to transform themselves into viable internet entities ffrom the early adopter mmodels, look for application level security tools.
Interesting. The first 4 digits can only have a few thousand permissible (i.e. issued) combinations. The next 4 digits relate to the type of card (gold, platimum, bog standard, special chacateristics of the bank's charging regime etc) 8 digits of combinaiton will be limited to those card products issued by banks in your region of domicile The last digit is a checksum, so no need to brute force that. Only 7 digits to guess. A google search or two to guess your residential area and banks servicing that area, and cardmaster here we come!
I agree - smartcard wer around much longer than that. However, how much of the work was in the public domain? If none, then a patent can be applied for, AFAIK. How much of the internal processes you worked on functioned as described in this patent in question? If none, then the patent was not infringed by your employer.
Debit is significantly cheaper than credit IF you use a PIN, not signature. It's only weird card scheme rules that create huge price difference for the small difference of a signature vs a PIN - a difference settled in a ~$5bn case by Mastercard and Visa in a case against them by Walmart and other retailers.
Use a PIN, save yourself money, save the merchant money, and reduce your risk of fraudulent use of your signature. Now, we just need the card schemes to enforce the strong terminal security like the rest of the developed world has had for 10+ years.
Because those doing it were taking planned, systemaic hostile actions against one or more targets to find weaknesses, with the goal usally of finding cheap telephone access.
Most high-gain antennas are very directional. So the mechanics of being able to point this antena over a 360 degree sphere of interest (or multiple antennae) will cost more time and effort than actually securing the wlan itself
Using hardware crypto means the distribution of the keys is a whole lot simpler - just do it when the handset is shipped.
None of this computationally and bandwidth expensive overheads with PKI which no one trusts to the level necessary to protect a phone conversation.
Well, probably A is covered by paying upwards of $20k over 2-3 years - if that's not a form intent, then what is? re B) Right now it appears 17 or 20 years is considered the appropriate amount of time. The time to get something to market must start AFTER the patent applciation is lodged - you can't patent anything that is marketed as it is then prior art, and no longer unique. re c) The publishing of patents after an initial patent office examination already occurs, and any interested party can challenge the patent application. re D) - Isn't this just commercial good sense? Why would I cause someone to shut down a profitable line of business when I can ask for a reasonable market fee, and gain access to a ready-built market that has cost me nothing to build??????
"Do you have any proof of this? Point out exactly where in the bill it says this, please."
The Mastercard/Visa rule changes put all the liability onto the cardhoolder under SET. Unless you can prove you didn't generate the elelctronic transaction, you're stuck with the bill! No questions No-one has any idea on how to prove you didn't create a digital signature. Meanwhile, hacking attacks to steal a copy of your Private key are almost trivial today.
How many financial transactions occur using RSA? Almost none, as there is no accepted standards for financial transactions using PKI (ignoring SET, it's a joke). Over 16 billion DES protected transactions (ATM, POS etc) occurred in the US in 1997.
4096 bit PKI is no better than your password used to protect the private key.
And passwords as subject to dictionary attack.
Finally, a digital signature has no intrinsic way to prove you did it. By contrast, a handwritten signature can be shown forensically to be consistent with all other signatures known to have been made by you.
In the case of disputed digital signatures, it is your word against that of someones machine. Guess who wins?
I have no idea either - but I'm not trusting my electronic life to such uncertainty!
Slashdot Mirror
No SMartcards are just a password verification, only remotely at user locaiton.
Almost all the rest of the smarts goes into having the smart card tell the server that password verification passed.
What good is that?
I'm not sure the CA are all that useful with revocation lists.
The multiple US government CA/PKIs now have CRLs that reportedly take up to 14 minutes to process in a PKI-using client - a bit of a mess when you've a few dozen emails to verify every day.
Distributed revocation is a bad thing.
Just like DNS - PKI is distributed revocation since every user/client must do their own revocation status checking - imagine getting a DNS record for a web site once, then always trusting it to be accurate?.
Every PKI-protected message/session should be checked for revocation status - that's the benefit of centralised revocation/user management (and it's waaayyyy cheaper to operate).
lyal
I think this PKI-edness of VOIP is basically silly.
I can receive a phone call, or make one at any PSTN phone.
With PKI based VOIP, I can only answer the phone, or make calls, from a single machine.
Why remove that level of flexibility just to cut out the telco?
A better idea might be to secure the link to the IP-based switching centre, and let their directory service manage the link to the remote end, including confidentiality, authentication and so on. Sounds a lot like a telco to me.
Who cares?
SCO is basically a US problem, not ours.
Get a Snap account and pay online for amounts as small as these.
Why waste time going to a store to get as voucher?
The issue is that treating the problem of security at 2 levels (network and application) is flawed - each specialist area thinks the other is doing everything.
The real goal OMHO is to dumb down the need to network security (i.e. stick to firewalls, routing controls and simple protocol checks) and boost security at the application messaging layer.
The 3As (authentication, authorisation, accountability), confideentility, integrity and content inspection/management are a must.
SSL, SSH and VPNs et al don't enable any of these attributes at the application layer.
For those wishing to transform themselves into viable internet entities ffrom the early adopter mmodels, look for application level security tools.
Interesting.
The first 4 digits can only have a few thousand permissible (i.e. issued) combinations.
The next 4 digits relate to the type of card (gold, platimum, bog standard, special chacateristics of the bank's charging regime etc)
8 digits of combinaiton will be limited to those card products issued by banks in your region of domicile
The last digit is a checksum, so no need to brute force that.
Only 7 digits to guess. A google search or two to guess your residential area and banks servicing that area, and cardmaster here we come!
By this logic, electricity should not be regulated either.
Electrons are just framgments of physics, right?
I agree that over regulation is bad, but the way to discuss and promote alternatives should at least be sensible and justifiable, IMHO.
Lyal
I agree - smartcard wer around much longer than that.
However, how much of the work was in the public domain? If none, then a patent can be applied for, AFAIK.
How much of the internal processes you worked on functioned as described in this patent in question?
If none, then the patent was not infringed by your employer.
lyal
Debit is significantly cheaper than credit IF you use a PIN, not signature.
It's only weird card scheme rules that create huge price difference for the small difference of a signature vs a PIN - a difference settled in a ~$5bn case by Mastercard and Visa in a case against them by Walmart and other retailers.
Use a PIN, save yourself money, save the merchant money, and reduce your risk of fraudulent use of your signature.
Now, we just need the card schemes to enforce the strong terminal security like the rest of the developed world has had for 10+ years.
Because those doing it were taking planned, systemaic hostile actions against one or more targets to find weaknesses, with the goal usally of finding cheap telephone access.
Most high-gain antennas are very directional.
So the mechanics of being able to point this antena over a 360 degree sphere of interest (or multiple antennae) will cost more time and effort than actually securing the wlan itself
Lyal
Using hardware crypto means the distribution of the keys is a whole lot simpler - just do it when the handset is shipped.
None of this computationally and bandwidth expensive overheads with PKI which no one trusts to the level necessary to protect a phone conversation.
Well, probably A is covered by paying upwards of $20k over 2-3 years - if that's not a form intent, then what is?
re B) Right now it appears 17 or 20 years is considered the appropriate amount of time. The time to get something to market must start AFTER the patent applciation is lodged - you can't patent anything that is marketed as it is then prior art, and no longer unique.
re c) The publishing of patents after an initial patent office examination already occurs, and any interested party can challenge the patent application.
re D) - Isn't this just commercial good sense? Why would I cause someone to shut down a profitable line of business when I can ask for a reasonable market fee, and gain access to a ready-built market that has cost me nothing to build??????
Lyal
As far as I know, it is difficult to legally distinguish between a person and a company in law - both a recognised entities with many similar rights.
Lyal
"Do you have any proof of this? Point out exactly where in the bill it says this, please."
The Mastercard/Visa rule changes put all the liability onto the cardhoolder under SET.
Unless you can prove you didn't generate the elelctronic transaction, you're stuck with the bill! No questions
No-one has any idea on how to prove you didn't create a digital signature.
Meanwhile, hacking attacks to steal a copy of your Private key are almost trivial today.
Lyal
How many financial transactions occur using RSA?
Almost none, as there is no accepted standards for financial transactions using PKI (ignoring SET, it's a joke).
Over 16 billion DES protected transactions (ATM, POS etc) occurred in the US in 1997.
Tell me which has market share and reliability?
Lyal
There are brute-force password attacks on PGP key files - fast as well, much faster than key-cracking.
About as fast as l0pthcrack, actually
With PGP key file-stealing rojans around, PGP is definitely suspect as a trust tool - still good for confidentiality, uses right.
Lyal
Exactly
lyal
4096 bit PKI is no better than your password used to protect the private key.
And passwords as subject to dictionary attack.
Finally, a digital signature has no intrinsic way to prove you did it. By contrast, a handwritten signature can be shown forensically to be consistent with all other signatures known to have been made by you.
In the case of disputed digital signatures, it is your word against that of someones machine.
Guess who wins?
I have no idea either - but I'm not trusting my electronic life to such uncertainty!
Lyal