Rich Salz wrote:
I was told that one of the reasons SSL took off was because Visa and/or MC
told merchants they would "for the time being" treat SSL as card-present,
in terms of fraud penalties, etc.  If this is true (anyone here verify?
My source is on the list if s/he wants to name themselves), then SSL/SET
is an interesting example of betting on both sides.

I only know of MOTO ... the original netscape e-store and merchants processed thru the original payment gateway.

SSL originally just provided for webserver authentication. while we mandated mutual authentication for SSL between webservers and the payment gateway (before there was even a specification for mutual authentication). Information about the respective other end-point were preloaded in the respective servers ... so the use of digital certificates was purely an artificial artifact of the existing code base.

However, normal merchant webserver operation for SSL was purely one-sided authentication ... there was no form of client authentication that would provide any kind of basis for either cardholder-present or card-present.

There is something for being there first, starting late 94 ...

remember what Verisign was called before it was renamed Verisign?

SET prototype shows up early fall 96 with dedicated demo systems appearing at conferences late '96 (dedicated demo systems taking 30 seconds elapsed time to perform transaction).

Two of the major risks and vulnerabilities that have been discussed are evesdropping on data-in-flight ... and data breaches at merchant databases ... old post on security proportional to risk

both SSL and SET addressed confidentiality of data-in-flight. Neither SSL nor SET addressed data breaches at merchant databases.

Going on in parallel with webservers doing MOTO transactions thru the payment gateway .... you also found some number of webservers doing emulated POS terminal dialup operations (also MOTO transactions). Some number of vendors were peddling software that was originally developed to run on PCs and autodial merchant processor (effectively emulated POS terminal dial) ... software originally targeted for hotels, casinos, etc.

... from long ago and far away:

Date: Sat, 24 Feb 1996 17:08:01 -0500 (EST)
From: H Morrow Long <[EMAIL PROTECTED]>
Subject: Draft SET Standard/specs now online at MC and Visa

The new SET (Secure Electronic Transaction) draft standard/
specs are now online at VISA and Mastercard for downloading.

The draft docs were just released yesterday (Feb 23).

The docs are available in Word and Postscript file formats
for Windows, Unix and the Mac.

Check out:

The Web pages also have information on how to subscribe to
the set-discuss mailing list.

- Morrow

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to