[FYI] Did Encryption Empower These Terrorists?

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Thu Sep 27 09:07:03 EDT 2001



__________________

note that X9.59 standards work spent quite a bit of time attempting to
minimize the number of places that identity might have to occur. In general
an X9.59 account number can be related to a person (i.e. possibly bank regs
related to "know your customer"). It attempts to only do strong
authentication with digital signature ... but leaving as few identity
fingerprints as possible (at least as far as the financial transaction is
concerned). Also, strongly authenticated transactions significantly reduces
the possibility that fraudulent transactions have occured.

Also, since X9.59 standard was to be applicable to all account-based
transactions ... it had to be agnostic with respect to identity information
to cover financial transactions that didn't have the rules and regulations
associated with credit ... say debit and/or even "stored value" (say a
digitally signed version of those "gift cards" that are frequently found at
check-out stands at places like blockbuster, sears, etc).


Ray Dillinger <bear at sonic.net>  at 9/26/2001 10:06 AM wrote:



A few problems:

1) in a typical credit card transaction, the seller neither knows,
   nor cares, what bank issued the credit card.  Thus, connecting
   to the correct gateway becomes a minor problem.

2) No provision for dispute resolution.  What happens in a month
   and a half when george gets his credit card bill back and says
   "I've never been there and never done any business with this
    person"?  The bank generates a chargeback and sends it to the
    merchant who, in the absence of knowledge about the buyer's
    identity, has no recourse.  George may or may not be the person
    who made the transaction; but the merchant has no way to even
    begin to try to find out.


In general, "anonymity" and "credit" are immiscible.  If you want
anonymous transactions, you absolutely cannot abide by the laws
that require chargebacks, merchant and/or bank liability in case
of fraud (instead of consumer liability), etc.  Compliance with
those laws requires the merchant and banks to have the very
information that anonymity prohibits them from having.

For anonymous transactions, you want something a whole lot more like
cash, with the same failure modes (ie, no shift of liability in case
of fraud) as cash.  That requires infrastructure which will not be
allowed to be built.






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list