Incidentally, when designing SHTTP we envisioned that credit transactions would be done with signatures. I would say that the Netscape guys were right in believing that confidentiality for the CC number was good enough.
actually was supposedly no worse than the face-to-face world .... aka make the transit part secure ... so that the rest became the same as the physical world .... transactions go into big merchant file ... because there are several merchant related business processes that subsequently reference the transaction and number.
the problem was that their appear to be little or not fraud associated with threats against CC numbers in flight (with or w/o SSL), however the threat model was against the merchant credit card file and the numbers in the clear; it wasn't that the process was any different than the physical world, but the web merchants allowed the file to be access able from the network (which didn't exist in the physical world).
the requirement given the x9a10 working group was to preserve the integrity of the financial infrastructure for all electronic retail payments (debit, credit, stored-value, ach, internet, non-internet, point-of-sale, etc). Turns out the internet threat profile wasn't so much data-in-flight .... but having the operation connected to the internet at all. X9.59 addressed most of that ... which neither ssl or set did .... and did it with just a single digital signaturee. misc. x9.59
http://www.garlic.com/~lynn/index.html#x959
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
