the limits of crypto and authentication

Anne & Lynn Wheeler lynn at garlic.com
Fri Jul 15 14:35:29 EDT 2005


Aram Perez wrote:
> One other point, SET did NOT require certs for the consumers. The 
> client-merchant protocol supported clients without certs.

there was a later "set-lite" w/o certs for clients ... but the original
specification had client certs as part of the core process.

note that the SET consumer certificate was *NOT* a x.509 identity
certificate ... because of stated reasons regarding privacy and
liability. It was a relying-party-only certificate that basically
contained the account number and the public key
http://www.garlic.com/~lynn/subpubkey.html#rpo

It was also, not a true PKI ... since it didn't have any certificate
administration and management infrastructure. It was purely a
*certificate manufactoring* process (a term we had coined to
differentiate the early SSL certificate operations from what had been
defined for a PKI operation). Further, the statement was that they could
get by w/o a PKI operation ... since it was purely a "certificate
manufactoring" process using relying-party-only certificates (containing
just the public key and account number), the business process could be
managed by deactivating the account number in the *real*, real-time,
online operation.

quicky search engine for set-lite:
http://iugsun.cs.uni-dortmund.de/lehre/datenschutz/material/folien/dsss2004-5-ecommerce.pdf
http://www.it.murdoch.edu.au/~smr/honours/admin/info/DavidsProposal.html
http://www.indiainfoline.com/bisc/ieps.html
http://www.networkworld.com/archive/1999/61423_03-22-1999.html

from above:

When MasterCard and Visa unveiled technology for secure Internet
electronic commerce transactions two years ago, they thought it would
take over the world.

But while Secure Electronic Transaction (SET) has made inroads in Europe
and Asia, it has faltered badly in the U.S. Faced with technical and
business obstacles to SET, MasterCard and Visa are now coming up with
alternatives to SET - SET Lite and Merchant-originated SET (MOSET).

But SET Lite and MOSET critically alter the SET 1.0 architecture and
soften SET's rock-hard security - all for the sake of convenience. For
example, the technologies abandon the idea that each online consumer is
going to have a bank-issued SET digital certificate for credit-card
encryption. This certificate was to be the main means of verifying the
consumer's real identity on the Internet.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list