the limits of crypto and authentication

Anne & Lynn Wheeler lynn at garlic.com
Fri Jul 15 01:15:13 EDT 2005


Rich Salz wrote:
> I was told that one of the reasons SSL took off was because Visa and/or MC
> told merchants they would "for the time being" treat SSL as card-present,
> in terms of fraud penalties, etc.  If this is true (anyone here verify?
> My source is on the list if s/he wants to name themselves), then SSL/SET
> is an interesting example of betting on both sides.

I only know of MOTO ... the original netscape e-store and merchants 
processed thru the original payment gateway.
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3

SSL originally just provided for webserver authentication. while we 
mandated mutual authentication for SSL between webservers and the 
payment gateway (before there was even a specification for mutual 
authentication). Information about the respective other end-point were 
preloaded in the respective servers ... so the use of digital 
certificates was purely an artificial artifact of the existing code base.

However, normal merchant webserver operation for SSL was purely 
one-sided authentication ... there was no form of client authentication 
that would provide any kind of basis for either cardholder-present or 
card-present.

There is something for being there first, starting late 94 ...
http://scout.wisc.edu/Projects/PastProjects/NH/95-03/95-03-27/0016.html

remember what Verisign was called before it was renamed Verisign?

SET prototype shows up early fall 96 with dedicated demo systems 
appearing at conferences late '96 (dedicated demo systems taking 30 
seconds elapsed time to perform transaction).

Two of the major risks and vulnerabilities that have been discussed are 
evesdropping on data-in-flight ... and data breaches at merchant 
databases ... old post on security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61

both SSL and SET addressed confidentiality of data-in-flight. Neither 
SSL nor SET addressed data breaches at merchant databases.

Going on in parallel with webservers doing MOTO transactions thru the 
payment gateway .... you also found some number of webservers doing 
emulated POS terminal dialup operations (also MOTO transactions). Some 
number of vendors were peddling software that was originally developed 
to run on PCs and autodial merchant processor (effectively emulated POS 
terminal dial) ... software originally targeted for hotels, casinos, etc.


... from long ago and far away:

Date: Sat, 24 Feb 1996 17:08:01 -0500 (EST)
From: H Morrow Long <long-morrow at cs.yale.edu>
To: sneakers at cs.yale.edu
Subject: Draft SET Standard/specs now online at MC and Visa

The new SET (Secure Electronic Transaction) draft standard/
specs are now online at VISA and Mastercard for downloading.

The draft docs were just released yesterday (Feb 23).

The docs are available in Word and Postscript file formats
for Windows, Unix and the Mac.

Check out:

	http://www.mastercard.com/set/set.htm
	http://www.visa.com:80/cgi-bin/vee/sf/standard.html?2+0

The Web pages also have information on how to subscribe to
the set-discuss mailing list.

- Morrow


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list