Eric Rescorla wrote:
> Incidentally, when designing SHTTP we envisioned that credit
> transactions would be done with signatures. I would say that
> the Netscape guys were right in believing that confidentiality
> for the CC number was good enough.

I don't think so. One of the things I'm running into increasingly with
HTTPS is that you can't do an end-to-end check on a cert. That is, if I
have some guy logging into some site using a client cert, and that site
then makes a back-end connection to another site, there's no way it can
prove to the back-end site that it has the real guy online (without
playing nasty tricks with the guts of SSL, anyway), and there's
certainly no way to prove that some particular response came from him.
Signing stuff would deal with this trivially.




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to