Why Blockbuster looks at your ID.
Anne & Lynn Wheeler
lynn at garlic.com
Sun Jul 10 12:33:01 EDT 2005
Perry E. Metzger wrote:
> If you have a sufficiently good token, you may no longer need to have
> identification information presented to the merchant, even by the
> token, to reduce misuse. It is true that the issuer will still know
> what transactions took place. However, you have at least reduced the
> number of entities that require proof of your identity and the number
> that have logs of your activity.
this is the EU privacy directive threads that went on (mostly prior to
9/11) and why couldn't they apply in the US also ... aka that electronic
retail transactions could be as anonymous as cash. names would be
removed from the plastic embossing and magstripe ... and the merchant
would not longer have to wander across the line from authentication into
identification (attempting to match the name on the card with other
credentials).
when we started x9.59 in the mid-90s,
http://www.garlic.com/~lynn/index.html#x959
http://www.garlic.com/~lynn/subpubkey.html#privacy
we frequently commented that it was privacy agnostic. it provided strong
authentication that didn't have skimming and harvesting threats and
vulnerabilities. there was a strong correlation with some account number
... and the degree that there was some trail from that account number to
an individual was dependent on a lot of things outside of the financial
transaction itself. however, the basic financial transaction didn't
require wandering across the line from authentication into identification.
this was also the period where it started to show up the shortcomings of
the x.509 identity certification paradigm that had somewhat tried to get
some toe hold in the early 90s .... including grossly overeloading the
certificates with personal information. basically that every digitally
signed transaction in the world would carry a huge x.509 identity
certificate grossly overloaded with personal information. Not only would
all such transactions carry such humongous personal information
repositories, while in flight .... but all the transaction logs would be
heavily burdened with the same information. You might have tens of
thousands of transactions logs all over the world ... and every one
would include a humongous x.509 identity certificate grossly overloaded
with personal information.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list