Anne & Lynn Wheeler wrote:

from above:

The encrypted credentials would be for one-time use only. The next purchase or 
other transaction will require a new credential. The process is similar to the 
one-time-use credit card numbers that Citigroup card holders can already 
generate on the bank's Web site.

... snip ...

past post: IBM donates new privacy 
tool to open-source Higgins

... so if you had to go to the credential issuing website every time you needed 
a one-time use credential (one-time use is countermeasure to replay attacks 
involve static data credentials) ... what mechanism are you using to 
authenticate yourself to the credential issuing website.

if the mechanism for authentication to the credential issuing website is of 
reasonably strong security ... then why don't you use that mechanism directly 
in the regular transaction ... rather than having to have an intermediary 
credential involved.

this is somewhat the argument used about digital certificates being redundant 
and superfluous in an online environment ... whatever was used to acquire the 
(x.509 identity) digital certificate ... especially a relying-party-only 
digital certificate

to avoid repeatedly spraying personal information all over the world ... just 
use that interaction directly ... and avoid the superfluous and redundant 
digital certificate.

this is the certificateless public key infrastructure operation

in the x9.59 financial standard transaction

or in the similar FAST transaction (for matters other than financial 
transaction authorization) done by FSTC in the 90s

one might claim that this new mechanism is another approach to addressing the enormous privacy exposure represented by the x.509 identity digital certificates from the early 90s ... but my oft repeated claim is that the while credentialing and certificate paradigm is left-over from the offline era. in the online era ... if the relying party either 1) has their own online information and/or 2) has online, realtime access to the responsible authoritative agency or institution ... then credentials and certificates purely represent relics predating online infrastructures.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to