Anne & Lynn Wheeler wrote:
http://news.com.com/IBM+donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.html
from above:
The encrypted credentials would be for one-time use only. The next purchase or
other transaction will require a new credential. The process is similar to the
one-time-use credit card numbers that Citigroup card holders can already
generate on the bank's Web site.
... snip ...
past post:
http://www.garlic.com/~lynn/aadsm26.htm#24 News.com: IBM donates new privacy
tool to open-source Higgins
... so if you had to go to the credential issuing website every time you needed
a one-time use credential (one-time use is countermeasure to replay attacks
involve static data credentials) ... what mechanism are you using to
authenticate yourself to the credential issuing website.
if the mechanism for authentication to the credential issuing website is of
reasonably strong security ... then why don't you use that mechanism directly
in the regular transaction ... rather than having to have an intermediary
credential involved.
this is somewhat the argument used about digital certificates being redundant
and superfluous in an online environment ... whatever was used to acquire the
(x.509 identity) digital certificate ... especially a relying-party-only
digital certificate
http://www.garlic.com/~lynn/subpubkey.html#rpo
to avoid repeatedly spraying personal information all over the world ... just
use that interaction directly ... and avoid the superfluous and redundant
digital certificate.
this is the certificateless public key infrastructure operation
http://www.garlic.com/~lynn/subpubkey.html#certless
in the x9.59 financial standard transaction
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959
or in the similar FAST transaction (for matters other than financial
transaction authorization) done by FSTC in the 90s
http://www.fstc.org/
one might claim that this new mechanism is another approach to addressing the enormous privacy exposure represented by the x.509 identity digital certificates from the early 90s ... but my oft repeated claim is that the while credentialing and certificate paradigm is left-over from the offline era. in the online era ... if the relying party either 1) has their own online information and/or 2) has online, realtime access to the responsible authoritative agency or institution ... then credentials and certificates purely represent relics predating online infrastructures.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]