Re: 3D Secure Protocol Oddity

Tue, 02 Jul 2002 02:44:48 -0700 

Thanx Lynn,

But I don't understand if you are supporting my view or not :-) 

In case it was against, I think you should take a deep look on 3D to
verify that it is as far from end-to-end that is technically possible.

The widely used method I suggested, is definitely end-to-end
in my opinion (although not in X9.59 that requires local signatures
which is not a part of the 3D protocol).

Anders

----- Original Message ----- 
From: <[EMAIL PROTECTED]>
To: "Anders Rundgren" <[EMAIL PROTECTED]>
Cc: "internet-payments" <[EMAIL PROTECTED]>
Sent: Tuesday, July 02, 2002 11:32
Subject: Re: 3D Secure Protocol Oddity



I think one of the analysis done by the x9a10 comittee was about end-to-end
security with flow thru transaction protocols .... effectively the current
web, POS, non-web, etc message path sequence but with the transaction
carrying end-to-end consumer authentication of the message (aka the x9.59
standard).

I think that it is fairly standard fault, integrity  and security analysis
that an end-to-end flow-thru authenticated message is always significantly
better than any multi-legged message protocol.




                                                                                    
                      Anders Rundgren                                               
                    <anders.rundgren@     To:      internet-payments                
                           telia.com>        <[EMAIL PROTECTED]>        
                                          cc:                                       
                     07/02/2002 02:38     Subject:      3D Secure Protocol Oddity   
                                   AM                                               
                                                                                    
                                                                                    




List,

An oddity in the 3D Secure protocol is in my opinion that the
"final" and "critical" transaction is routed through the user's browser.

Working for years with systems like OBI, Punchout, OCI where
the final message is a purchase order, I note that these system are
characterized by sending the final transaction server-to-server.

This is based on the idea that your purchasing system (or in the case
of 3D your bank) is a "business system" helping, and monitoring your
business processes which means that it should now about problems
before the you do (If a 3D transaction fails, your bank will know nothing,
and since a failure can occurr anywhere, there are situations were no one
will know what's happened).

Interactivity is by no means hampered by this arrangement, it just
means one [optional] step more communication-wise but with greatly
improved tracibility.

Cheers,
Anders

If you want, you can try out https://buyer.x-obi.com/BuyerASP/buyer
and verify that ending a shopping-session in the business-system-end is
not at all bad, rather the contrary.  Takes some 10-15 minutes to perform.

Reply via email to