I wouldn't dispute any of the arguments made in the
original or subsequent
posts on this topic pointing out that the programmatic
interface to the
device opens a security hole. But I think it needs to be
said that this is
only in the environment where trojans, etc., can infiltrate
the machine.
Acknowledged... this is probably in 99.99% of the
applications.
But in defense of the product, there are server-to-server
type applications
that don't involve a human which wouldn't be able to
provide this style of
two-factor authentication without a programmatic interface.
And without
hardward-based security solutions for these types of
systems, they are
vulnerable to compromise of keys and secrets by
administrators. With a
little physical security and isolation from the types of use
that put them
at risk for trojans, etc., the security hole under fire
doesn't really
exist. These systems do gain more security... by providing a
device that
doesn't allow an administrator to walk away with the
secrets.
Maybe server-to-server applications weren't really the
intended market for
this particular product, but the point is that you need to
be careful with
blanket criticisms.
Regards,
Paul Zufeldt
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomo metzdowd.com
|