CFP: PKI research workshop

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Wed Dec 26 17:13:21 EST 2001 

I doubt if fast/fstc participants would look at the following example as a
prime example .... but there are various "age" authentication services that
are available on the internet today ... basically associated with adult
entertainment ... but would also be applicable to online gambling, various
kinds of online purchases (alchohol), etc.  It doesn't have to identify who
you are ... it just has to be able to answer the question that you are at
least of legal age.

now, it turns out that most of these services use effectively a "loop-hole"
in the current online credit card system to implement their age
authentication operation. There is such a thing in the industry called a
"one dollar auth". Credit card operations typically have financial
transactions authentication and authorized in real time .... but the actual
request for funds transfer is typically submitted in batches ... at end of
day or possibly end of shift. A "one dollar auth" is an authorization
request for a one dollar credit card transaction, typically also with name
& AVS (address verification) data. If the name, account number, and AVS all
verify .... and there are no other outstanding problems .... then the
request comes back approved. The "age" authentication services typically
are registering individuals by requesting the information to perform a "one
dollar auth" .... where there is no subsequent batch submission for actual
funds tranfer.  If the "one dollar auth" is approved, the age
authentication services take the result as indication of legal age .... the
credit card owner needing to have been of legal age to have legally signed
the credit card contract and obtained the credit cad in the first place.
Since no funds transfer actually takes place, nothing shows up on the
consumer's credit card bill. The age verification service is charged a very
nominal transaction fee for the "one dollar auth" (along with the AVS
transaction).

The age verification service then just packages that one time charge into
the fees that they charge their customers. They effectively maintain a
local "cache" of the answer to the "one dollar auth" transaction.

I would contend that the evidence that such things are going on today ...
is that the current system is "open" in the sense that it has open
standards (like ISO 8583) and lots of entities are making use of it.

In theory, one opportunity for FAST-like offerings is for the financial
industry to get directly into the age authentication service business (in
theory being able to do it at least as well with the data as the 3rd party
players out there today). A x9.59-like transaction can be defined .... but
in place of "dollar amount", there are misc. other types of fields ....
like "legal age". The consumer then digitally signs the transaction and
forwards it to the merchant or server. The server takes the transactions
and ejects it into the appropriate authentication network (very much like
credit card transactions are done today) and gets back a "YES/NO" answerr
(again very much like credit card transactions happen today) .... the only
difference is instead of asking for consumer funds approval, the merchant
is asking question about legal age. Identity information isn't being
divulged ... not even date-of-birth ... which could raise a serious
identity fraud question .... just answerring YES/NO to the legal age
question. It could look like an X9.59 transaction, taste like an X9.59
transaction ... but instead of having funds involved, it has legal age
involved.

It effectively creates an "open" online, authentication infrastructure ...
requiring consumer to digital sign the transaction .... and a recognized
certification authority providing real time, non-privacy invasive, answers.
It otherwise has all the elements of an open public key infrastructure
(registration authorities, certification authorities, consumers, relying
parties, etc) w/o any certificates. In that sense it is an online PKI
paradigm .... rather than the certificate-based offline PKI paradigm (which
emulates the pre-70s offline credit card infrastructure).




<lynn.wheeler at firstdata.com> at 12/26/2001 2:36 pm wrote:

in addition to the x9.59 for all electronic payment transactions ... it is
possible to extend online authentication where the institution possibly
isn't also responsible for the authorization (and/or access privileges)....
things like FAST projects in FSTC:
http://www.fstc.org/projects/fastaggregation.cfm






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list