Fixing SSL (was Re: Dutch Transport Card Broken)

Anne & Lynn Wheeler lynn at garlic.com
Sun Feb 3 20:01:32 EST 2008 

StealthMonger wrote:
>
> They can't be as "anonymous as cash" if the party being dealt with can
> be identified.  And the party can be identified if the transaction is
> "online, real-time".  Even if other clues are erased, there's still
> traffic analysis in this case.
>
> What the offline paradigm has going for it is the possibility of true,
> untraceable anonymity through the use of anonymizing remailers and
> related technologies.
>
>    

most people who heard the statement, understood that.

i think that possibly 2nd level detail was that they didn't want
PII easily associated by casual merchant. Initial response was to remove
name from payment cards & magstripes. This also precluded
merchants from requesting other forms of identification to
see if the names matched the name on the payment card.
The implication being that the payment infrastructure would
have to come up with other mechanisms to improve
the infrastructure integrity.

The offline payment paradigms ... while touting "true"
anonymity were actually primarily justified based on
other factors.

We had been asked to design and cost the dataprocessing
supporting US deployments of some of the "offline" products
(that were being used in Europe). Along the way, we did
some business process and revenue analysis and realized
that the primary motivation behind these system deployments
was the float.

About the same time that there was the EU about the
privacy of electronic retail payments ... there was also
a statement by the EU (and some of the country central
banks) that the offline products would be allowed to
keep the float for a short grace period .... to help in
the funding of the infrastructure deployment ... but
after the grace period ... the operators would have to
start paying interest on the balance held in the "offline"
instruments (eliminating float from the equation).
After that, much of the interest in the offline
deployments drifted away.

In that time frame we had also done design, implementation
and deployment of a payment transaction infrastructure
supporting target marketing ... recent reference
http://www.garlic.com/~lynn/2008c.html#27 Diversity

support was for a small pilot of 60mil accounts and
1.5million transaction/day ... but capable of scaling
up to 20-30 times that amount. There was significant
attention paid to privacy issues and it was subject
to quarterly auditing by some dozen or so privacy
organizations. there had to be a large amount
of sensitive treatment of the information along
the lines of what HIPAA specifies for health information.

aka:

anonymized
  Previously identifiable data that have been deidentified and for
  which a code or other link no longer exists. An investigator would
  not be able to link anonymized information back to a specific
  individual. [HIPAA] (see also anonymous, coded, directly
  identifiable, indirectly identifiable)

as part of co-authoring x9.99 financial privacy standard, one
of the things we created was a privacy merged glossory and
taxonomy ... including GLBA, HIPAA, and EU-DPD references
some notes:
http://www.garlic.com/~lynn/index.html#glosnote

in our work on x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959

we made the statement that it was privacy agnostic ... since
the transactions were tied to accounts ... but then whether or
not the accounts were tied to individuals was outside the x9.59
standard
http://www.garlic.com/~lynn/subpubkey.html#x959

As a total aside ... as part of the Digicash liquidation,
we were brought in to evaluate the patent portfolio.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list