W3C home > Mailing lists > Public > public-identity@w3.org > November 2011

Re: The "korean bank" use-case

From: Ron Garret <ron@flownet.com>
Date: Sun, 27 Nov 2011 08:31:57 -0800
Cc: "public-identity@w3.org" <public-identity@w3.org>
Message-Id: <16C49EA2-0EED-4496-8098-67E145E13F4E@flownet.com>
To: Anders Rundgren <anders.rundgren@telia.com>

On Nov 27, 2011, at 7:30 AM, Anders Rundgren wrote:

> in case devices are in scope

I think one can walk this decision backwards one step, which could make it easier to reach consensus: is it the goal of this WG to develop a solution that is secure enough to be used for financial transactions?  If the answer to that is "yes" then I think devices have to be in scope because (I claim) all purely software-based solutions will be vulnerable to phishing by malicious plug-ins.

BTW, this is a non-trivial but crucial question to resolve.  You end up with very different designs depending on the answer.  BrowserID, for example, has many nice properties, but it is no more secure than email.  Whether or not email is secure enough for financial transactions is a judgement call, but to decide that it is not secure enough is IMHO a defensible position.

BTW2: One way to resolve this question is to punt on it, and develop different standards with different security properties.  Such multifurcation has the danger of spinning wildly out of control, but it may turn out that there are only two or three levels of security that actually matter, which may make this a tractable approach.

> IMO, this is also the reason why the *current* smart card technology is unsuitable
> for browser integration.

I would agree with this.

> I.e. my quest for a simpler "web token" is a more realistic take on this topic in spite of
> the fact that you need new hardware.

Why do you think you need new hardware?  There are existing hardware solutions that are simpler than full-blown smart cards:

https://www.swekey.com/
http://www.safenet-inc.com/products/data-protection/two-factor-authentication/certificate-based-pki-usb-authenticators/
http://www.cryptomate.com/

There are also mobile devices.  Apps are not as secure as a dedicated device but more secure than a browser, so something like this:

http://www.rsa.com/node.aspx?id=3651
http://itunes.apple.com/us/app/oath-token/id364017137

might be good enough.

BTW, I am not endorsing any of these, just pointing to them out as data points to inform the discussion.

rg
Received on Sunday, 27 November 2011 16:32:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 27 November 2011 16:32:39 GMT