> We sign the request from service providers like Kickstarter by authenticating trustworthy partners with unique certificates, to make sure that not the fraudulent website "Kikkstarter" requests John's data
> If the signature of Kickstarter's request is valid
So how exactly does the JAR learn Kickstarters public key? Is this based on PKI or pinning/caching? Where's the trust anchor here?
Also it's not clear without a protocol specification whether this provides complete mutual authentication of ephemeral sessions (otherwise active MITM/spoofing is still going to be possible). Several round-trips to the server will typically be required to guarantee this.
> If you lose your JAR, you can call us or go online to deactivate it.
So the company behind JAR can deactivate my device. And if they go bankrupt? What if they get hacked? How do I authenticate myself on their website to deactivate my JAR. I can't use my JAR because, well, I've lost my JAR. So do I use a password?
What makes this better than Clef[0], which is a free app and based on a similar rudimentary RSA-signed challenge-response protocol?
> If you purchase a JAR, we store your personal information on our server
Why?
> The customer target price is €99.
You really think people are going to pay this much when many new devices are already shipping with fingerprint readers built-in? Where's your business model if every laptop and every phone is shipping with a fingerprint reader in 5 years time? And are you aware the next series of Intel CPUs contain built-in OTP (one-time password) code generation specifically for two factor authentication? These won't even need browser plugins or peripherals because the technology will be accessible to software directly.
In the kickstarter page, you say that "a private key is stored, which is encrypted using military-grade encryption methods with his fingerprint". How does this work? It seems to me that there is no way of encrypting data with a fingerprint (since it varies drastically depending on how it is placed on the scanner). So are you encrypting the RSA priv key with the fingerprint or just checking the fingerprint before using the key?
Also, how are you planning on getting websites to use jar for authentication?
Another question: "fully-encrypted cloud storage". But previously in the description you say "losing your JAR does not create a continuous lock-out for the user". How does this work?
How much storage is available on the jar?
Also, you say "The private key stored on your JAR is generated when setting JAR up for the first time, using your fingerprint as a random input". Do you have another source of entropy for the jar? Because a fingerprint does not have that much entropy (certainly not enough for a 2048 bit encryption key).
3 comments
[ 4.1 ms ] story [ 13.6 ms ] thread> If the signature of Kickstarter's request is valid
So how exactly does the JAR learn Kickstarters public key? Is this based on PKI or pinning/caching? Where's the trust anchor here?
Also it's not clear without a protocol specification whether this provides complete mutual authentication of ephemeral sessions (otherwise active MITM/spoofing is still going to be possible). Several round-trips to the server will typically be required to guarantee this.
> If you lose your JAR, you can call us or go online to deactivate it.
So the company behind JAR can deactivate my device. And if they go bankrupt? What if they get hacked? How do I authenticate myself on their website to deactivate my JAR. I can't use my JAR because, well, I've lost my JAR. So do I use a password?
What makes this better than Clef[0], which is a free app and based on a similar rudimentary RSA-signed challenge-response protocol?
> If you purchase a JAR, we store your personal information on our server
Why?
> The customer target price is €99.
You really think people are going to pay this much when many new devices are already shipping with fingerprint readers built-in? Where's your business model if every laptop and every phone is shipping with a fingerprint reader in 5 years time? And are you aware the next series of Intel CPUs contain built-in OTP (one-time password) code generation specifically for two factor authentication? These won't even need browser plugins or peripherals because the technology will be accessible to software directly.
[0] https://getclef.com/
Also, how are you planning on getting websites to use jar for authentication?
Another question: "fully-encrypted cloud storage". But previously in the description you say "losing your JAR does not create a continuous lock-out for the user". How does this work?
How much storage is available on the jar?
Also, you say "The private key stored on your JAR is generated when setting JAR up for the first time, using your fingerprint as a random input". Do you have another source of entropy for the jar? Because a fingerprint does not have that much entropy (certainly not enough for a 2048 bit encryption key).