Amol, May I ask why you want an intermediate CA? A thing that should be high on the whish-list ought to be a hosted CA where the issuer just do the RA-stuff. Hundred of banks can in this way share facilities (but not necessarily CA-keys) without huge investments in an activity that is not core-business. This is how some Nordic banks have handled PKI for other purposes.
BTW, it is seems that many banks investing in EMV are skipping the PKI-version. Is that your experience as well? cheers, Anders ----- Original Message ----- From: "Amol Natu" <[EMAIL PROTECTED]> To: "Internet-Payments List" <[EMAIL PROTECTED]> Sent: Saturday, October 26, 2002 13:52 Subject: EMV - Dynamic Data Authentication Hi DDA is one of the authentication options available as part of the offline authentication process between an EMV card and its corresponding terminal. In this the Trusted CA (run by the card schemes) signs CA's for issuer banks who inturn sign the end user certificates stored on cards. Is there is possibility of an intermediate CA coming into picture between the Card Scheme CA (root CA) and the Issuer Bank CA ? So the way this would operate is, the card scheme cross signs regional CA's who in turn signs Issuer Bank CA's. During the authentication process, the terminal should chain up to the root CA and perform the necessary checks. Some thoughts .. Cheers Amol