slight aside, in beginning security basics end-to-end typically means that a authorization or service message requiest ..... originates with the requester and has been secured with authentication and/or encryption of the requester and travels end-to-end from the requester to the service entity ... which first validates the authorization/service request (based on the end-to-end authentication and/or encryption from the requester) and then returns an authorization or some other indication that the service is performed.
most beginning security basics teach that if authorization and/or service request does not have end-to-end security and/or integrity then the design is fundamentally flawed and opportunities for fraud is created. An example is that in SET, the card-holder/consumer's authentication information was stripped off at some random internet gateway and a flag inserted in an otherwise normal iso 8583 financial transaction message claiming that digital signature authentication had been performed. A year or so after SET pilots were in operation, somebody from VISA gave a presentation at some ISO meeting in europe detailing the percentage of iso 8583 messages where the "authenticated" flag had been turned on by some entity (and for which the consumer's issuing bank was now suppose to base various business processes and decisions) and they could positively show that no internet payment and/or any other form of digital signature authentication was involved (aka no end-to-end entegrity and/or security). in the account-based financial transaction ... the requestor is the card-holder/consumer and the authorization or service entity is the card-holder's financial institution. JohnE37179@aol. com To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] 11/05/2001 cc: [EMAIL PROTECTED], 08:49 AM [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: when a fraud is a sale, Re: Rubber hose attack In a message dated 11/5/01 9:41:44 AM, [EMAIL PROTECTED] writes: << On one hand I'm tempted to read this as a plea for some absolute notion of security, but somehow I don't think that's really what you're saying. >> Rick, my point is that VISA and to a slightly lesser extent, MC, have built a model just as you describe: send the money, but we don't take any risk. I tend to agree with you that we should extend the meaning of end-to-end to mean user-to-user, instead of device or token-to-token. John --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]