Florian Weimer wrote:
* Rafael San Miguel:
The solution is based in a hardware token that is
delivered to every customer. This token includes the
true certificate that should be presented by the bank
when a customer access his/her account, and a program
that checks if the certificate presented by the
webpage is consistent with the first one. The program
is in read-only memory so that it can't be modified by
anything external to it.
It's acceptable neither to customers nor to banks. These days,
zero-setup online banking is an absolute must.
If clients are prepared to accept the consequences of having this
"zero-setup" online banking, so be it.
Zero-setup online banking will be possible again (with SSL client certs,
hear me beat the drum once more) once enough clients have smart card
readers as standard equipment, properly integrated with the operating
system and the browsers.
For an example, I look to the Dell Latitude D600, which comes with an
integrated smart card reader. Maybe a good feature addition for the new
LCD monitors would be a smart card reader slot, connected via USB. The
more people use them, the more ubiquitous they will be, and the less
"setup" will be required by new users/clients.
We cannot just avoid the issue by saying that banks and clients "don't
wannna!" go to the trouble of setting up a new device so they can be
secure online.
If we all say "I don wanna!", we'll never get there. And that would be a
shame.
Rogan
--
Rogan Dawes
*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
