project idea: portable password safe

Ron K. Jeffries rjeffries at gmail.com
Sat Sep 14 12:31:09 EDT 2013


Most Excellent.
I've registered on Gitorious, user name is ronkjeffries.

After logging in, I searched "pwsafe" and found what seems to be a
different project, a Linux program.

Not sure if that matters, just curious.

I will attempt to put your project overview in the wiki on your Gitorious,
if that is OK.

Ron K Jeffries

---
Ron K. Jeffries
805-567-4670






On Sat, Sep 14, 2013 at 12:41 AM, Werner Almesberger <werner at almesberger.net
> wrote:

> Ron K. Jeffries wrote:
> > This discussion on the list is great. But it might also be useful to
> > maintain (using some web tool, but not on mail list)  a simple, short
> > "Password Safe Requirements" document.
>
> Yeah, or a "project overview" (high-level, without the gory technical
> details.) Let's give it a try ...
>
> > >> Project description, including
> > .. what problem the password safe solves
>
> Main objectives:
> 1) medium "hard" password/account storage,
> 2) suitable for "continuous carry" (gun nuts should like this term),
> 3) convenient to use,
> 4) suitable for most if not all of everyday's password needs, not only
>    on the PC but also, say, for credit/debit card PINs,
> 5) open design that can be reviewed by anyone.
>
> One could summarize most of this as "practical security".
>
> > .. what sort of person will buy the device
>
> Basically, anyone who needs to handle more passwords, PINs, etc., than
> they can easily remember and who isn't happy with just jotting them down
> on a piece of paper. Middle-class spending profile.
>
> > .. what the device will do and general characteristics, (but NOT how it
> is
> > implemented)
>
> - store and display or replay PINs, passwords, passphrases, and related
>   information,
> - replay is by acting as "USB keyboard", either by wire or ("secure")
>   wireless,
> - content of device is protected against theft, etc., by PIN/code and
>   encryption,
> - can also implement challenge-response schemes (TBD) which are more
>   secure than traditional passwords,
> - flexible security structure, allowing for accounts with weaker or
>   stronger protection (e.g., Twitter vs. e-banking),
> - can generate/propose random passwords,
> - roughly dumbphone-sized (to be confirmed),
> - runs from easily replacable standard batteries,
> - intentionally limited in functionality to avoid security issues
>   known from PCs, smartphones, etc.
>
> > >> rough cost targets
> >      low quantity (n~= 100)
> >      modest qty (n~=1000)
>
> Hard to tell at the moment. This is still in the technical exploration
> phase. 100 units doesn't really make sense for commercial exploitation.
> (You'd have to work at military / medical margins to be profitable at
> such numbers.) Maybe USD 100 before taxes for the password safe, USD
> 30 for the RF dongle (or use atusb), USD 20 for the Y-Box, to at least
> cover immediate production costs.
>
> At large volumes, maybe 10k+, a retail price below USD 100 for the
> whole kit should be feasible. But that's just guesswork. Real cost
> figures also include logistics, accounting, support, legal, let's not
> forget taxes, etc. We'd have to involve someone who actually knows
> how to calculate such things when the time comes to think about larger
> volumes.
>
> >  >> target date for first proto
>
> For the electronics and basic software, maybe end of November 2013.
> A prototype case maybe 1-2 months later. So let's say early 2014 for
> something I will be able to use.
>
> That's assuming nobody else makes substantial contributions to the
> project. At the early stages, there probably aren't that many options
> for cooperation, but the more it advances, the more possibilities.
>
> Once the first prototype design (which will involve the making of a
> number of prototypes in various states of dysfunction) is done, there
> can be several continuations, including:
>
> - maybe interest will have died by then,
> - maybe there will be interest in making and financing a small number
>   of "developer edition" devices,
> - maybe there will be interest but people won't like my design and
>   someone else has a better one, so there'd be a switch/fork/diaspora,
> - maybe millions will be gathering in the streets, demanding that it
>   be mass-produced "as is" immediately ;-)
>
> > >>NON-goals for project (optional, but can be useful)
>
> Hmm, some:
>
> - won't have "military-grade" security. Extreme security requires
>   specialized components and design procedures (drives up the cost by
>   orders of magnitude) and also demands operational procedures from
>   the user few people would be willing to endure.
>
> - won't aim for low-cost, your USD 16 phone being an extreme example.
>   There's no way to beat such things. Think more along these lines:
>   http://www.mobilephonehistory.co.uk/lists/phones_by_price.php
>
> > If you sorta kind like the idea, I volunteer to create the document based
> > on your input.
>
> Great. Thanks a lot !
>
> > There are a few web systems designed for collaborative writing, often
> using
> > Markdown syntax for formatting.
>
> Sounds good to me. I've created a project on gitorious:
>
> http://gitorious.org/pwsafe
>
> gitorious also offers a git-based Wiki, so one can easily combine the
> usual Web editing with local editing and even automated tools. (E.g.,
> to generate certain tables.)
>
> The Wiki is here:
> http://gitorious.org/pwsafe/pages/Home
>
> It's currently "writable by anyone" (this may mean "anyone with a
> gitorious account").
>
> > These requirements are already known, but have evolved over multiple
> > messages in the email flow.
>
> And probably will continue to evolve :)
>
> Thanks a lot !
>
> - Werner
>
> _______________________________________________
> Qi Hardware Discussion List
> Mail to list (members only): discussion at lists.en.qi-hardware.com
> Subscribe or Unsubscribe:
> http://lists.en.qi-hardware.com/mailman/listinfo/discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.en.qi-hardware.com/pipermail/discussion/attachments/20130914/0f3cd4f0/attachment.htm>


More information about the discussion mailing list


interactive