Is cryptography where security took the wrong branch?
Anne & Lynn Wheeler
lynn at garlic.com
Sun Sep 7 19:06:47 EDT 2003
At 09:44 AM 9/7/2003 -0700, Eric Rescorla wrote:
>Incidentally, when designing SHTTP we envisioned that credit
>transactions would be done with signatures. I would say that
>the Netscape guys were right in believing that confidentiality
>for the CC number was good enough.
actually was supposedly no worse than the face-to-face world .... aka make
the transit part secure ... so that the rest became the same as the
physical world .... transactions go into big merchant file ... because
there are several merchant related business processes that subsequently
reference the transaction and number.
the problem was that their appear to be little or not fraud associated with
threats against CC numbers in flight (with or w/o SSL), however the threat
model was against the merchant credit card file and the numbers in the
clear; it wasn't that the process was any different than the physical
world, but the web merchants allowed the file to be access able from the
network (which didn't exist in the physical world).
the requirement given the x9a10 working group was to preserve the integrity
of the financial infrastructure for all electronic retail payments (debit,
credit, stored-value, ach, internet, non-internet, point-of-sale,
etc). Turns out the internet threat profile wasn't so much data-in-flight
.... but having the operation connected to the internet at all. X9.59
addressed most of that ... which neither ssl or set did .... and did it
with just a single digital signaturee. misc. x9.59
http://www.garlic.com/~lynn/index.html#x959
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list