the limits of crypto and authentication
Anne & Lynn Wheeler
lynn at garlic.com
Fri Jul 15 01:15:13 EDT 2005
Rich Salz wrote:
> I was told that one of the reasons SSL took off was because Visa and/or MC
> told merchants they would "for the time being" treat SSL as card-present,
> in terms of fraud penalties, etc. If this is true (anyone here verify?
> My source is on the list if s/he wants to name themselves), then SSL/SET
> is an interesting example of betting on both sides.
I only know of MOTO ... the original netscape e-store and merchants
processed thru the original payment gateway.
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3
SSL originally just provided for webserver authentication. while we
mandated mutual authentication for SSL between webservers and the
payment gateway (before there was even a specification for mutual
authentication). Information about the respective other end-point were
preloaded in the respective servers ... so the use of digital
certificates was purely an artificial artifact of the existing code base.
However, normal merchant webserver operation for SSL was purely
one-sided authentication ... there was no form of client authentication
that would provide any kind of basis for either cardholder-present or
card-present.
There is something for being there first, starting late 94 ...
http://scout.wisc.edu/Projects/PastProjects/NH/95-03/95-03-27/0016.html
remember what Verisign was called before it was renamed Verisign?
SET prototype shows up early fall 96 with dedicated demo systems
appearing at conferences late '96 (dedicated demo systems taking 30
seconds elapsed time to perform transaction).
Two of the major risks and vulnerabilities that have been discussed are
evesdropping on data-in-flight ... and data breaches at merchant
databases ... old post on security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61
both SSL and SET addressed confidentiality of data-in-flight. Neither
SSL nor SET addressed data breaches at merchant databases.
Going on in parallel with webservers doing MOTO transactions thru the
payment gateway .... you also found some number of webservers doing
emulated POS terminal dialup operations (also MOTO transactions). Some
number of vendors were peddling software that was originally developed
to run on PCs and autodial merchant processor (effectively emulated POS
terminal dial) ... software originally targeted for hotels, casinos, etc.
... from long ago and far away:
Date: Sat, 24 Feb 1996 17:08:01 -0500 (EST)
From: H Morrow Long <long-morrow at cs.yale.edu>
To: sneakers at cs.yale.edu
Subject: Draft SET Standard/specs now online at MC and Visa
The new SET (Secure Electronic Transaction) draft standard/
specs are now online at VISA and Mastercard for downloading.
The draft docs were just released yesterday (Feb 23).
The docs are available in Word and Postscript file formats
for Windows, Unix and the Mac.
Check out:
http://www.mastercard.com/set/set.htm
http://www.visa.com:80/cgi-bin/vee/sf/standard.html?2+0
The Web pages also have information on how to subscribe to
the set-discuss mailing list.
- Morrow
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list