At 06:42 AM 7/15/2004, Rich Salz wrote:
it wasn't a CCard transacdtion, my liability under SET was unlimited (at
least until Congress caught up to the technology).  Looking at the risk
management aspect, SET was a big loser for the customer.

my earlier responses

i also included some discussion on it at a talk i gave on
naked keys at global grid forum conference last month,
focusing on business issues of authentication;
... minor ref (with pointer to the GGF pages &

with some comparison to x9.59

.... one of the business issues of public key infrastructures
is the dual-issue vulnerability of using digital signatures
for both authentication and signatures.

many of the authentication infrastructures have the
server sending the user some random data to be signed
as part of authentication (issues like replay attacks, etc);
which the user never looks at.

ignoring all the non-repudiation issues .... real signatures
are suppose to imply things like agreement, approval,
and/or authorization  (of the contents of what is being

the dual-use vulnerability is ever having signed random
data ... w/o reading it .... and using the same technology
to sign documents where reading is implied (as well as
agreement, approval, authorization).

the scenario is somewhat out of MASH where Radar
is periodically having the col. sign documents w/o
having read them.

Anne & Lynn Wheeler

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to