With respect: Given recent information from Mr. Snowden, the concept of "trusted PC" seems so 1980s.
--- Ron K. Jeffries 805-567-4670 On Tue, Sep 10, 2013 at 5:47 PM, EdorFaus <[email protected]> wrote: > On 09/09/2013 08:11 AM, Werner Almesberger wrote: > >> Paul Boddie wrote: >> >>> https://www.bankid.no/Dette-**er-BankID/BankID-in-English/** >>> This-is-how-BankID-<https://www.bankid.no/Dette-er-BankID/BankID-in-English/This-is-how-BankID-> >>> works/ >>> >> >> Hmm, seems a little odd to have the keys both at the bank and in your >> device. But well, it's a possibility. If they leak somehow, this >> should be fun to figure out where that happened :) >> > > I think it's more a choice, really - you can either keep it in your > phone's SIM card, or the bank can store it for you. > > Well, I would actually assume that the bank stores the ID even if you > choose to also have it in your SIM card, in which case the above does > apply. I think most people don't put it into their SIM though, in which > case it's only kept at the bank. > > The code card/calculator thing doesn't contain the actual BankID, it just > contains a key that is used for logging into the bank site where you can > then use the BankID. > > > He (?) also mentions that >> his device will see if other keyboards are changing *-lock >> modifiers. Yet another interesting HID feature I didn't know >> yet :-) >> > > It depends on the OS to broadcast the notifications, but yes. It's usually > used to turn on and off the indicator LEDs on all connected keyboards when > the (global) lock state changes. :) > > That OS dependence isn't a major concern for simple on-off detection (e.g. > to automatically turn off caps lock when typing a password, and back on > afterwards - or just invert the relevant shift state when caps lock is on), > I think pretty much all of them handle that similarly enough these days to > not be a problem in practice (and worst-case the user can turn it off > manually once they notice). > > The main difference (I know of) between OSes is in how exactly these LED > notifications are handled when a lock key is held down - something I found > out recently when writing a driver for a device with a feature that > depended on the way Windows does it (and Linux doesn't)... > > IMO it's best to simply avoid depending on detecting held-down keys, and > instead detect and trigger on e.g. a few rapid on-off switches. > > > It's interesting to see the first comment suggest use of a >> rotary encoder. >> > > That's actually a good idea, and not just for menu navigation either. > > A network music player I have has a big rotary encoder on the front, that > it uses not just for volume control and menu navigation, but also for > entering things like WiFi passwords. > > The concept is fairly simple and straightforward: you use a button to move > from one character position to the next, and the rotary encoder to move > up/down through the characters for that position. > > Slower than a real keyboard, obviously, but takes up far less space > (especially if you would have the encoder anyway), and is faster (and > easier to use) than having to press up/down buttons to select the character. > > > The Pass-Pal got me thinking, though. If we accept the concept of >> a trusted PC for setup, things get a LOT simpler. Almost >> watch-level simple ;-) >> > > Well, we might want the option of using a trusted PC for initial setup, > e.g. to import an existing password database - but I still think it's a > good idea to be able to manage the passwords on the device itself too, even > if that's not usually as convenient, because in some cases, it will be > *more* convenient. E.g. if you receive a new password at a time when you > don't have a trustworthy PC nearby. > > Also, if we use the rotary encoder idea, it doesn't have to be all that > large or difficult - might still be able to get it close to a watch size, > if the encoder is small (or mechanically fancy) enough (though a small one > might be harder to use). > > > If password management is possible from the PC, though, I think it would > be a good idea to have a kind of write lock on the device, that would make > it impossible to write to the device from the PC when it was on - as an > extra security feature in case you want to use the passwords from the > device on an untrusted PC. > > I noticed the Pass-Pal had something kinda like that, in its lock > function, but it seemed to conflate the read and write locks - I think it > would be convenient to be able to auto-type selected passwords while still > not allowing password management. > > -Frode > > ______________________________**_________________ > Qi Hardware Discussion List > Mail to list (members only): > [email protected]**hardware.com<[email protected]> > Subscribe or Unsubscribe: http://lists.en.qi-hardware.** > com/mailman/listinfo/**discussion<http://lists.en.qi-hardware.com/mailman/listinfo/discussion> >
_______________________________________________ Qi Hardware Discussion List Mail to list (members only): [email protected] Subscribe or Unsubscribe: http://lists.en.qi-hardware.com/mailman/listinfo/discussion
