----- Original Message ----- 
From: "Ian Grigg" <[EMAIL PROTECTED]>
Sent: Sunday, September 07, 2003 12:01 AM
Subject: Re: Is cryptography where security took the wrong branch?

> That's easy to see, in that if SSL was oriented
> to credit cards, why did they do SET?  (And,
> SHTTP seems much closer to that mission, on a
> quick reading, at least.)

Actually they do target very different aspects. SET, 3D-Secure, and any
other similar have a different target then SSL. To understand this it is
important to realize that instead of the usual view of two-party
transactions, credit card transactions actually take 3 parties; Issuer,
Seller, and Buyer. SSL covers the Seller-Buyer communication, and can also
be applied to the Seller-Issuer communication, but on a transaction basis it
offers nothing for the Issuer-Buyer (the important one for minimizing costs
for the Issuer).

SET/3D-Secure/etc address this through various means but the end target is
to create a pseudo-Buyer-Issuer link, through the Seller. This allows the
Issuer to minimize costs (less chance of having to make a call) and because
it is behind the scenes technology has no reason to be accompanied by a
reduction in fees (and actually because of the reduced likelihood of buyer
fraud, it may be possible to charge the seller _more_).

In the end SSL and SET/3D-Secure/etc target entirely different portions of
the problem (the former targets seller fraud against the buyer, latter
seller against issuer). Both of these are important portions, of course the
real upside of SET/3D-Secure/etc is that the seller doesn't have a choice,
and the fees in accordance with the "fraud-reduction" may very well increase
the costs to the seller, the buyer costs of course stay the same. End
result: lower fraud, increased fees->higher profit margins.

However, if it meets expectations, it is entirely possible that all
legitimate parties (non-fraud entities) will see improved profits (seller
has reduced fraud and charge-backs, buyer less likelihood of the $50
penalty, issuer higher fees). Will it meet those expectations? I have no

Trust Laboratories
Changing Software Development

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to