it wasn't a CCard transacdtion, my liability under SET was unlimited (at least until Congress caught up to the technology). Looking at the risk management aspect, SET was a big loser for the customer.
my earlier responses http://www.garlic.com/~lynn/aadsm17.htm#53 http://www.garlic.com/~lynn/aadsm17.htm#54
i also included some discussion on it at a talk i gave on naked keys at global grid forum conference last month, focusing on business issues of authentication; ... minor ref (with pointer to the GGF pages & presentation): http://www.garlic.com/~lynn/2004g.html#53
with some comparison to x9.59 http://www.garlic.com/~lynn/index.html#x959
.... one of the business issues of public key infrastructures is the dual-issue vulnerability of using digital signatures for both authentication and signatures.
many of the authentication infrastructures have the server sending the user some random data to be signed as part of authentication (issues like replay attacks, etc); which the user never looks at.
ignoring all the non-repudiation issues .... real signatures are suppose to imply things like agreement, approval, and/or authorization (of the contents of what is being signed).
the dual-use vulnerability is ever having signed random data ... w/o reading it .... and using the same technology to sign documents where reading is implied (as well as agreement, approval, authorization).
the scenario is somewhat out of MASH where Radar is periodically having the col. sign documents w/o having read them.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]