non-repudiation, was Re: crypto flaw in secure mail standards

Lynn.Wheeler at firstdata.com Lynn.Wheeler at firstdata.com
Sat Jul 7 15:26:44 EDT 2001


one of the biggest problems that has led to most of the regulations is the
ease that account-number harvesting can occur and then the account number
used in fraudulent, non-authenticated transactions. The SET-like protocols
didn't address this issue. However, there is a huge amount of stuff going
on about the need for implementing absolute perfect security at the
millions of merchant sites scattered all over the world ... where there is
an absolute guarentee that at each and every site, harvesting by either
external agents and/or internal agents would absolutely never occur.

by contrast the X9.59 standard (US ANSI financial standards bodies and
pushing forward to international ISO) does address this issue ... where it
allows that the probability of absolte security and each and every web-site
implemented in the world never fails and that there still won't be
fraudulent transactions in association with any kind of (internal or
external) account number havesting (aka charter given the X9A10 working
group in the definition of X9.59 was to preserve the integrity of the
financial infrastructure for all retail, account-based, electronic
transactions. The claim also is that X9.59 definition is also identity
agnostic and can suppurt EU regulations/guidelines that retail transactions
need to not have identity information (i.e. name information embossed on
the plastic and recorded on the magstripe).

misc. ref:

http://www.garlic.com/~lynn/

The X9.59 standard can be obtained from the ANSI publication web site.

http://webstore.ansi.org/ansidocstore/product.asp?sku=DSTU+X9%2E59%2D2000


gbroils at well.com on 7/5/2001 wrote:




Implementing non-repudiation as a countermeasure versus spurious "do not
recognize" chargebacks seems to depend on all of the following:

(a) development and widespread adoption of a secure platform for key
storage and Internet use, like the system "whose user interface and
underlying technology is such that the signature is unlikely to be forged .
." described by James Donald above

(b) merchants forcing customers to adopt that platform and SET-like
procedures in order to carry out transactions

(c) changing the Fair Credit Billing Act to make it more difficult or
impossible for consumers to dispute items on their bills.







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list