On Wed, Oct 22, 2003 at 05:08:32PM -0400, Tom Otvos wrote:
> >
> > So what purpose would client certificates address? Almost all of the use
> > of SSL domain name certs is to hide a credit card number when a consumer
> > is buying something. There is no requirement for the merchant to
> > identify and/or authenticate the client .... the payment infrastructure
> > authenticates the financial transaction and the server is concerned
> > primarily with getting paid (which comes from the financial institution)
> > not who the client is.
> >
> 
> The CC number is clearly not hidden if there is a MITM.

Can you please posit an *exact* situation in which a man-in-the-middle
could steal the client's credit card number even in the presence of a
valid server certificate?  Can you please explain *exactly* how using a
client-side certificate rather than some other form of client authentication
would prevent this?

Thor

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to