project idea: portable password safe

Paul Boddie paul at
Sun Sep 8 14:40:36 EDT 2013

On Sunday 8. September 2013 18.56.29 Werner Almesberger wrote:
> Paul Boddie wrote:
> > If I had to guess what went on [in a smartcard-based e-banking
> > access "calculator"]
> Yes, I think that's how they work. The "calculator" is just a shell
> that provides the user interface and power. You still need to trust
> it, but only to the point that it won't leak the PIN.


> > Instead, it's a situation where an "official" body signs
> > everything on your behalf, ostensibly because you logged in to their
> > service at some point and said you wanted to do something.
> Is this actually how they do it ? I would think they merely provide
> an electronic statement saying that user X has asked us to to Y,
> certified by the respective authority that makes the statement.

According to the following description of one such system, they do the signing 
on your behalf:

"The code unit for a bank-stored BankID is often mistaken for a BankID, but a 
BankID is an electronic certificate centrally stored with Nets."

Apparently, the above system is also implemented by storing the "security 
elements" in a mobile phone's SIM card, which I imagine approximates to a 
smartcard situation.

> Well, the difference may be more legal than technical in the end.

Getting banks to admit screwing up is quite a challenge, in my experience.

> > Perhaps I should look around for
> > similar gadgets to the one you propose.
> It's always good to know what the competition is doing :)

I did manage to find this:


More information about the discussion mailing list