Anders Intermediate CA's work towards promoting trust chains ... more importantly, they introduce a business opportunity. Coming to hosted CA infrastructure's : This is purely an implementation model which reduces cost and operational overheads. The root CA's for EMV are not core PKI providers and hence probably may not offer such variations.
I am based in the UAE, where the roll-out of EMV is not be at the same stage as the European region. Some of the banks I have come across have not enabled offline transactions in the current phase. Cheers Amol -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@;telia.com] Sent: Saturday, 26 October, 2002 4:28 PM To: [EMAIL PROTECTED]; Internet-Payments List Subject: Re: EMV - Dynamic Data Authentication Amol, May I ask why you want an intermediate CA? A thing that should be high on the whish-list ought to be a hosted CA where the issuer just do the RA-stuff. Hundred of banks can in this way share facilities (but not necessarily CA-keys) without huge investments in an activity that is not core-business. This is how some Nordic banks have handled PKI for other purposes. BTW, it is seems that many banks investing in EMV are skipping the PKI-version. Is that your experience as well? cheers, Anders ----- Original Message ----- From: "Amol Natu" <[EMAIL PROTECTED]> To: "Internet-Payments List" <[EMAIL PROTECTED]> Sent: Saturday, October 26, 2002 13:52 Subject: EMV - Dynamic Data Authentication Hi DDA is one of the authentication options available as part of the offline authentication process between an EMV card and its corresponding terminal. In this the Trusted CA (run by the card schemes) signs CA's for issuer banks who inturn sign the end user certificates stored on cards. Is there is possibility of an intermediate CA coming into picture between the Card Scheme CA (root CA) and the Issuer Bank CA ? So the way this would operate is, the card scheme cross signs regional CA's who in turn signs Issuer Bank CA's. During the authentication process, the terminal should chain up to the root CA and perform the necessary checks. Some thoughts .. Cheers Amol