Perry E. Metzger wrote: > If you have a sufficiently good token, you may no longer need to have > identification information presented to the merchant, even by the > token, to reduce misuse. It is true that the issuer will still know > what transactions took place. However, you have at least reduced the > number of entities that require proof of your identity and the number > that have logs of your activity.
this is the EU privacy directive threads that went on (mostly prior to 9/11) and why couldn't they apply in the US also ... aka that electronic retail transactions could be as anonymous as cash. names would be removed from the plastic embossing and magstripe ... and the merchant would not longer have to wander across the line from authentication into identification (attempting to match the name on the card with other credentials). when we started x9.59 in the mid-90s, http://www.garlic.com/~lynn/index.html#x959 http://www.garlic.com/~lynn/subpubkey.html#privacy we frequently commented that it was privacy agnostic. it provided strong authentication that didn't have skimming and harvesting threats and vulnerabilities. there was a strong correlation with some account number ... and the degree that there was some trail from that account number to an individual was dependent on a lot of things outside of the financial transaction itself. however, the basic financial transaction didn't require wandering across the line from authentication into identification. this was also the period where it started to show up the shortcomings of the x.509 identity certification paradigm that had somewhat tried to get some toe hold in the early 90s .... including grossly overeloading the certificates with personal information. basically that every digitally signed transaction in the world would carry a huge x.509 identity certificate grossly overloaded with personal information. Not only would all such transactions carry such humongous personal information repositories, while in flight .... but all the transaction logs would be heavily burdened with the same information. You might have tens of thousands of transactions logs all over the world ... and every one would include a humongous x.509 identity certificate grossly overloaded with personal information. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]