Rich,
Apologies for taking so long to answer your security questions.
The Wave/Embassy open standards "system within a system" concept
allows operation at various levels of security and under differing
identity infrastructures.
Any, none, or all of the following identity infrastructure elements
can be combined in a particular system implementation to provide the
desired level of security:
IDENTITY INFRASTRUCTURE ELEMENTS
MEANS OF ANSWERS EXAMPLES OF
AUTHORIZATION QUESTION OPERATIONAL IMPLEMENTATIONS
=================== ============= ================================
Physical Possession "I have ..." Tokens, smart cards, keys, etc.
Operator Identity "I am ..." Biometrics, fingerprint readers,
retinal readers, etc.
Classified Data "I know ..." Passwords, pin numbers, codes, etc.
Possession
Equipment Identity "This unit Encoded serial numbers, ID chips, etc.
is ..."
By combining more than one infrastructure element and requiring a
positive response to each and every element, the designer can decrease
the probability of false authentication below that provided by any of
the individual elements themselves.
To answer your questions:
> > >Wave Systems is primarily focused on authenticating
(establishing identity of) client HARDWARE, correct? < < <
Above would be correct if using the Embassy chip itself without any
of the additional implementations above.
> > >Isn't authenticating/identifying a HUMAN USER, not hardware,
what we really want to accomplish? < < <
In some applications it is, in which case Embassy allows one or more
of the above-noted personal identity security elements to be
integrated into the overall system to provide the desired level of
personal identity authentication (e.g. do not authenticate until user
provides the proper token AND enters a correct password AND has the
proper physical hand characteristics).
> > >If I've ordered content from somewhere, I want to be able to
receive it on any hardware that happens to be convenient and capable,
not just on one designated computer. And if I've ordered content for
a particular hardware, I want it to be sent only when it is I that is
using that hardware.< < <
This is the "multiple appliances for one account" problem, which is
addressed by the physical implementations which provide the
capability of moving the "system within a system" itself from place
to place with a smart card or by moving certain key encrypted and
stored data (account identity, balance, usage data, etc.) from place
to place with a smart card or smart token, and, optionally, also
requiring some other identity establishing element to be satisfied.
> > >An alternative technique is being pursued by Carver Mead ---
recognizing the finger on a touchpad. While that takes it to the
person it would require all/most devices to have such a touchpad.
There has also been interest in recognizing the retina, but like the
touchpad that requires a camera.< < <
As noted above either of these elements can be combined into an
Embassy-based system.
Key additional elements of Embassy include its independently
encrypted storage of any required on-board authentication references
(e.g. the data elements of the authorized retinal characteristics are
themselves recorded and resident within the "system within a
system"), as well as metering capability. Because all such
authentication data exists only in encrypted form and exists only
within the "system within a system", a level of "trust" is
established at the client level, which does not exist in other
content control systems.
I apologize for the length of the above and hope that I have answered
your questions and have not created more confusion than I have
eliminated.
A better understanding of the above can be gained by reviewing the
technical sections of the Wave website and by looking over the
Wave/Pollex (fingerprint id) press releases and technical data.
Steve |
