project idea: portable password safe
Ron K. Jeffries
rjeffries at gmail.com
Sat Sep 14 12:31:09 EDT 2013
I've registered on Gitorious, user name is ronkjeffries.
After logging in, I searched "pwsafe" and found what seems to be a
different project, a Linux program.
Not sure if that matters, just curious.
I will attempt to put your project overview in the wiki on your Gitorious,
if that is OK.
Ron K Jeffries
Ron K. Jeffries
On Sat, Sep 14, 2013 at 12:41 AM, Werner Almesberger <werner at almesberger.net
> Ron K. Jeffries wrote:
> > This discussion on the list is great. But it might also be useful to
> > maintain (using some web tool, but not on mail list) a simple, short
> > "Password Safe Requirements" document.
> Yeah, or a "project overview" (high-level, without the gory technical
> details.) Let's give it a try ...
> > >> Project description, including
> > .. what problem the password safe solves
> Main objectives:
> 1) medium "hard" password/account storage,
> 2) suitable for "continuous carry" (gun nuts should like this term),
> 3) convenient to use,
> 4) suitable for most if not all of everyday's password needs, not only
> on the PC but also, say, for credit/debit card PINs,
> 5) open design that can be reviewed by anyone.
> One could summarize most of this as "practical security".
> > .. what sort of person will buy the device
> Basically, anyone who needs to handle more passwords, PINs, etc., than
> they can easily remember and who isn't happy with just jotting them down
> on a piece of paper. Middle-class spending profile.
> > .. what the device will do and general characteristics, (but NOT how it
> > implemented)
> - store and display or replay PINs, passwords, passphrases, and related
> - replay is by acting as "USB keyboard", either by wire or ("secure")
> - content of device is protected against theft, etc., by PIN/code and
> - can also implement challenge-response schemes (TBD) which are more
> secure than traditional passwords,
> - flexible security structure, allowing for accounts with weaker or
> stronger protection (e.g., Twitter vs. e-banking),
> - can generate/propose random passwords,
> - roughly dumbphone-sized (to be confirmed),
> - runs from easily replacable standard batteries,
> - intentionally limited in functionality to avoid security issues
> known from PCs, smartphones, etc.
> > >> rough cost targets
> > low quantity (n~= 100)
> > modest qty (n~=1000)
> Hard to tell at the moment. This is still in the technical exploration
> phase. 100 units doesn't really make sense for commercial exploitation.
> (You'd have to work at military / medical margins to be profitable at
> such numbers.) Maybe USD 100 before taxes for the password safe, USD
> 30 for the RF dongle (or use atusb), USD 20 for the Y-Box, to at least
> cover immediate production costs.
> At large volumes, maybe 10k+, a retail price below USD 100 for the
> whole kit should be feasible. But that's just guesswork. Real cost
> figures also include logistics, accounting, support, legal, let's not
> forget taxes, etc. We'd have to involve someone who actually knows
> how to calculate such things when the time comes to think about larger
> > >> target date for first proto
> For the electronics and basic software, maybe end of November 2013.
> A prototype case maybe 1-2 months later. So let's say early 2014 for
> something I will be able to use.
> That's assuming nobody else makes substantial contributions to the
> project. At the early stages, there probably aren't that many options
> for cooperation, but the more it advances, the more possibilities.
> Once the first prototype design (which will involve the making of a
> number of prototypes in various states of dysfunction) is done, there
> can be several continuations, including:
> - maybe interest will have died by then,
> - maybe there will be interest in making and financing a small number
> of "developer edition" devices,
> - maybe there will be interest but people won't like my design and
> someone else has a better one, so there'd be a switch/fork/diaspora,
> - maybe millions will be gathering in the streets, demanding that it
> be mass-produced "as is" immediately ;-)
> > >>NON-goals for project (optional, but can be useful)
> Hmm, some:
> - won't have "military-grade" security. Extreme security requires
> specialized components and design procedures (drives up the cost by
> orders of magnitude) and also demands operational procedures from
> the user few people would be willing to endure.
> - won't aim for low-cost, your USD 16 phone being an extreme example.
> There's no way to beat such things. Think more along these lines:
> > If you sorta kind like the idea, I volunteer to create the document based
> > on your input.
> Great. Thanks a lot !
> > There are a few web systems designed for collaborative writing, often
> > Markdown syntax for formatting.
> Sounds good to me. I've created a project on gitorious:
> gitorious also offers a git-based Wiki, so one can easily combine the
> usual Web editing with local editing and even automated tools. (E.g.,
> to generate certain tables.)
> The Wiki is here:
> It's currently "writable by anyone" (this may mean "anyone with a
> gitorious account").
> > These requirements are already known, but have evolved over multiple
> > messages in the email flow.
> And probably will continue to evolve :)
> Thanks a lot !
> - Werner
> Qi Hardware Discussion List
> Mail to list (members only): discussion at lists.en.qi-hardware.com
> Subscribe or Unsubscribe:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discussion