On Mon, 29 Jul 2002, Benjamin wrote:
> put key management into the phone, which makes sense for other reasons
> already.
Every device, not just the phone, has to deal with key management.
I'd like to see some details about the key management infrastructure
you're proposing.
> > And just how do you intend to do this registration? And how do you make
> > sure that someone else doesn't "re-register" the camera you left on your
> > desk when you went for lunch?
>
> Ever heard of PIN numbers ?
Sometimes, Ben, you leave me completely speechless.
So what you're saying is that you've just put a lot of effort into
creating a device that does authentication and authorization via a
public-key crypto system, and now you're going to protect that with a
PIN number? What did you put in the crypto for in the first place, then?
Now as far as the re-registration problem, assume the camera has a list
of public keys that grant administrative access. You lose your private
key. Who has another key that will allow this situation to be remedied
so you can use the device again? How is this other key protected? What
does the consumer have to do in this situation?
As for the original registration, see my first question re key management
above. Please describe in more detail just how you move your keys around.
> Likewise, you could have a dialog on your camera "Device 'xyzxyzxyzxyz'
> is trying to connect wirelessly. Allow ?"
And how do you know what that device is? Remember, there's no physical
connection here to verify.
> All this is straightforward and nothing new. Hardly a big challenge as
> Ken claimed it was.
I think you want to do a bit more reading on crypto, key management and
PKI before you claim this is not a challenge. You've done a lot of arm
waving, but you certainly have not described how any of this is going to
work in a secure fashion.
cjs
--
Curt Sampson <cjs_at_cynic.net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC
Received on Mon Jul 29 05:11:48 2002