[cap-talk] Astav (was: Re: the value of non-delegatable authority?)
Jed Donnelley
jed at nersc.gov
Mon Jan 14 14:16:30 EST 2008
On 1/14/2008 9:09 AM, Karp, Alan H wrote:
> Toby Murray wrote:
>> I remember reading about a mechanism to reduce the risk of
>> identity-fraud whereby credit card charges (or something
>> similar, can't
>> remember) would have to authorised by having a bank (or
>> similar entity)
>> phone you up on a registered number to authenticate each
>> charge. This is
>> almost an exact real-world embodiment of the NDA as explained
>> in the paper.
>>
> Watch the video at http://www.astav.net/.
> (Disclaimer: Its a company run by a friend of mine.)
I watched the video. One question. What happens if
you don't respond to the call? I assume the default
is to not allow the transaction? Not allow the transaction
but not treat the attempt as fraud? That of course means
that you can't purchase anything when outside cell
phone coverage or if your cell's battery has run
down or ... We also know that cell phones can be
misplaced or stolen and cell communication itself
isn't immune from fraud. Not fatal perhaps, but it
seems to me there are some practical issues to be
considered.
Also I'll mention that this approach seems to me
orthogonal to the issue of non-delegatable authority,
especially regarding using such to implement defense
sorts of protections like the * and simple security
properties (see my previous message about the necessity
of one-way communication for such).
Still, a worthwhile mechanism to have in the toolbox
I think, especially when considered as one factor in
multi-factor verification for high value transactions.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list