Re: Implementing a Public Key Infrastructure

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Barbara mentioned...

#I know this isn't a banking forum, but the banks have been dying to use
#certificate technology for years,

I think banks need to address some other issues first... for example, I
was invited to discuss the issue of how banks can overcome some of the
technical phishing issues they're currently confronting at a May 2005
regional bank security conference; if you're interested, feel free to see:

"Phishing: Some Technical Suggestions for Banks and Other Financial
Institutions," http://www.uoregon.edu/~joe/quadstate/quadstate.pdf (or .ppt)

#and the problem they have with end
#users has some similarity to education's issues with students:  how do
#you provide high-quality secure services to users on untrusted machines?

I will not claim that I have a solution for how to make palatable pies
from wormy apples, however there are people trying/developing things like
Blackdog (e.g., see http://www.projectblackdog.com/ ) in an effort to cope
with contaminated/untrustworthy "cybercafe"/public lab environments.
(disclaimer: I'm no involved with the Blackdog project nor do I personally
use one, I merely mention it as an example of what some folks are working on)

Regards,

Joe

P.S. Finally, if you haven't seen Christopher Abad's paper, "The economy of
phishing: a survey of the operations of the phishing market,"
http://www.firstmonday.org/issues/issue10_9/abad/ I'd highly recommend
checking it out. Really some nice work...