WebApp Sec mailing list archives
RE: Smart card proposal
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Sat, 29 Jan 2005 09:34:11 +1100
IMHO, the security issues of 'web sites communicating with tokens' are poorly addressed. If the site is hacker controlled (the main page site, advertising, image sources etc), then anything can happen, good or bad. While we want to good to occur, the bad is just as important to control Tokens effectively have a 'power of attorney' over one's authenticated services. Being realtively, dumb, they follow a few simple rules to generate output that commits the human to the consequences of the input. Human-mediated input/output, and indeed control over the 'power of attorney' processing is severely lacking in the products available today. No solutions appear to provide strong, ongoing control by the user of how, when and why the device is used to authenticate/encrypt transaction related content. A refocussing on products that address business and user needs is necessary. I fear that most infrastructure and products in this space is too insecure or dumb to actually do any of the necessary human mediated secure communication and authentication Lyal
-----Original Message----- From: Koh Gim Leng [mailto:kohgimleng () gmail com] Sent: Friday, 28 January 2005 2:10 PM To: Richard M. Smith Cc: webappsec () securityfocus com; maburns () safenet-inc com Subject: Re: Smart card proposal On Tue, 25 Jan 2005 16:45:52 -0500, Richard M. Smith <rms () computerbytesman com> wrote:Hi, What seems more user-friendly to me is that a single USBkey device needs tobe sharable between 5 credit cards, rather than having 5separate devices.What I still do not understand is how a Web sitecommunicates with the USBkey device.Web site communicates to a web browser which in term communicates to a set of standard APIs known as PKCS#11. Every smart card token or USB token vendor who wants to sell their token will provide you with their PKCS#11. Being a standard, your browser will know which API to call within the PKCS#11. If the token is in the form smart card, then the PKCS#11 provided by the smart card vendor will include means to call the smart card drivers provided as well. If the token is in the form of USB, then the PKCS#11 provided by the USB vendor will inculdes means to call the USB drivers as well. Bottom line - whatever happens belows PKCS#1l should be transparent to the web browser (or any PKI enabled application). Regards Sam Koh
Current thread:
- RE: Smart card proposal, (continued)
- RE: Smart card proposal maburns (Jan 24)
- Re: Smart card proposal Hugo Fortier (Jan 24)
- RE: Smart card proposal Richard M. Smith (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 27)
- RE: Smart card proposal McAllister, Andrew (Jan 27)
- RE: Smart card proposal Ofer Shezaf (Jan 27)
- RE: Smart card proposal Ofer Shezaf (Jan 27)
- RE: Smart card proposal Richard M. Smith (Jan 27)
- Re: Smart card proposal DE Gustafson (Jan 27)
- Re: Smart card proposal Koh Gim Leng (Jan 28)
- RE: Smart card proposal Lyal Collins (Jan 28)
- RE: Smart card proposal Richard M. Smith (Jan 27)
- RE: Smart card proposal maburns (Jan 24)
- RE: Smart card proposal maburns (Jan 27)
- RE: Smart card proposal maburns (Jan 27)
- Re: Smart card proposal Miguel Ruiz Velasco Sobrino (Feb 02)
- Security Webcast Series JoeStagner (Feb 02)
- RE: Smart card proposal Glenn_Everhart (Feb 02)
- RE: Smart card proposal Lyal Collins (Feb 03)
- Re: Smart card proposal Rogan Dawes (Feb 03)
- Re: Smart card proposal Kevin Kadow (Feb 16)