W3C home > Mailing lists > Public > public-identity@w3.org > November 2011

Re: The "korean bank" use-case

From: Mo McRoberts <Mo.McRoberts@bbc.co.uk>
Date: Mon, 28 Nov 2011 09:02:11 +0000
Cc: channy@gmail.com, "public-identity@w3.org" <public-identity@w3.org>
Message-Id: <03ED6065-ACFC-41E6-A7BF-639260E9412B@bbc.co.uk>
To: Anders Rundgren <anders.rundgren@telia.com>

On 28 Nov 2011, at 04:20, Anders Rundgren wrote:

> AFAICT, this is essentially an improved version of Mozilla's current
> JS crypto.  That's fine but IMO it doesn't support security HW
> in a way that makes sense to a bank since there is no way you can
> assure that keys are stored in HW or SW.

How can you •assure• that in the first place? Surely you’re always just taking the interface’s word for it, even if it claims to provide such guarantees?

>From a security perspective, don’t any claims as to the storage mechanisms employed by the consumer-side hardware and software fall into the “untrusted inputs” category?

M.

-- 
Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ



http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
					
Received on Monday, 28 November 2011 09:02:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 28 November 2011 09:02:41 GMT