> We sign the request from service providers like Kickstarter by authenticating trustworthy partners with unique certificates, to make sure that not the fraudulent website "Kikkstarter" requests John's data
> If the signature of Kickstarter's request is valid
So how exactly does the JAR learn Kickstarters public key? Is this based on PKI or pinning/caching? Where's the trust anchor here?
Also it's not clear without a protocol specification whether this provides complete mutual authentication of ephemeral sessions (otherwise active MITM/spoofing is still going to be possible). Several round-trips to the server will typically be required to guarantee this.
> If you lose your JAR, you can call us or go online to deactivate it.
So the company behind JAR can deactivate my device. And if they go bankrupt? What if they get hacked? How do I authenticate myself on their website to deactivate my JAR. I can't use my JAR because, well, I've lost my JAR. So do I use a password?
What makes this better than Clef[0], which is a free app and based on a similar rudimentary RSA-signed challenge-response protocol?
> If you purchase a JAR, we store your personal information on our server
Why?
> The customer target price is €99.
You really think people are going to pay this much when many new devices are already shipping with fingerprint readers built-in? Where's your business model if every laptop and every phone is shipping with a fingerprint reader in 5 years time? And are you aware the next series of Intel CPUs contain built-in OTP (one-time password) code generation specifically for two factor authentication? These won't even need browser plugins or peripherals because the technology will be accessible to software directly.
> If the signature of Kickstarter's request is valid
So how exactly does the JAR learn Kickstarters public key? Is this based on PKI or pinning/caching? Where's the trust anchor here?
Also it's not clear without a protocol specification whether this provides complete mutual authentication of ephemeral sessions (otherwise active MITM/spoofing is still going to be possible). Several round-trips to the server will typically be required to guarantee this.
> If you lose your JAR, you can call us or go online to deactivate it.
So the company behind JAR can deactivate my device. And if they go bankrupt? What if they get hacked? How do I authenticate myself on their website to deactivate my JAR. I can't use my JAR because, well, I've lost my JAR. So do I use a password?
What makes this better than Clef[0], which is a free app and based on a similar rudimentary RSA-signed challenge-response protocol?
> If you purchase a JAR, we store your personal information on our server
Why?
> The customer target price is €99.
You really think people are going to pay this much when many new devices are already shipping with fingerprint readers built-in? Where's your business model if every laptop and every phone is shipping with a fingerprint reader in 5 years time? And are you aware the next series of Intel CPUs contain built-in OTP (one-time password) code generation specifically for two factor authentication? These won't even need browser plugins or peripherals because the technology will be accessible to software directly.
[0] https://getclef.com/