Aram Perez wrote: > One other point, SET did NOT require certs for the consumers. The > client-merchant protocol supported clients without certs.
there was a later "set-lite" w/o certs for clients ... but the original specification had client certs as part of the core process. note that the SET consumer certificate was *NOT* a x.509 identity certificate ... because of stated reasons regarding privacy and liability. It was a relying-party-only certificate that basically contained the account number and the public key http://www.garlic.com/~lynn/subpubkey.html#rpo It was also, not a true PKI ... since it didn't have any certificate administration and management infrastructure. It was purely a *certificate manufactoring* process (a term we had coined to differentiate the early SSL certificate operations from what had been defined for a PKI operation). Further, the statement was that they could get by w/o a PKI operation ... since it was purely a "certificate manufactoring" process using relying-party-only certificates (containing just the public key and account number), the business process could be managed by deactivating the account number in the *real*, real-time, online operation. quicky search engine for set-lite: http://iugsun.cs.uni-dortmund.de/lehre/datenschutz/material/folien/dsss2004-5-ecommerce.pdf http://www.it.murdoch.edu.au/~smr/honours/admin/info/DavidsProposal.html http://www.indiainfoline.com/bisc/ieps.html http://www.networkworld.com/archive/1999/61423_03-22-1999.html from above: When MasterCard and Visa unveiled technology for secure Internet electronic commerce transactions two years ago, they thought it would take over the world. But while Secure Electronic Transaction (SET) has made inroads in Europe and Asia, it has faltered badly in the U.S. Faced with technical and business obstacles to SET, MasterCard and Visa are now coming up with alternatives to SET - SET Lite and Merchant-originated SET (MOSET). But SET Lite and MOSET critically alter the SET 1.0 architecture and soften SET's rock-hard security - all for the sake of convenience. For example, the technologies abandon the idea that each online consumer is going to have a bank-issued SET digital certificate for credit-card encryption. This certificate was to be the main means of verifying the consumer's real identity on the Internet. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]