On 16.12.2008 18:43, Frank Hecker wrote:
S-TRUST is operated by Deutscher Sparkassenverlag (DSV)
Just a little background on this:
Sparkasse is a "mutual savings bank".
They are fairly popular in Germany: Every region has its own (and their
geographical coverage usually does not overlap much), and combined they
have a decent market share (40% +/-10 % I'd guess).
They are non-profit.
They have a shared company which does some of the IT for them.
Given that banks have to authenticate their customers by identity card,
by money laundering laws, the verification is about as strong as it gets
in practice. (Some of them have Internet banks, though, which may
authenticate using the post office using a special scheme called
PostIdent - but even that requires the ID card and an in-person signature).
A weakness may be that the customer keys are stored on a chip on the
bank debit card (like credit card, just without credit), and the cards
may be sent by normal postal mail, normal letters, so there's a way to
intercept them. The PIN code (to use ATM machines, not sure if needed to
access the PKI keys) is sent as normal postal mail as well, but in a
separate letter on a different day, in a special envelope protecting
against shine through.
Of course, people wear these cards in their purse all the time, so that
may be stolen.
All of what I wrote is from memory, so there might be slight
incorrectness. I have only glanced over their CPS, not read it.
HTH anyways.
Ben
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
