we were brought in as consultants to a small client/server startup that wanted to do payment transactions on 
their server, they had this technology they called "SSL" they wanted to use, the result is now 
frequently called "electronic commerce". The two people at the startup responsible for the 
"commerce server" we had worked with in prior life on parallel Oracle cluster scaleup.

As part of mapping "SSL" technology to payment transactions we had to audit operations 
selling "SSL" digital certificates and also came up with recommendations on how browsers 
and servers would deploy and use the technology. Almost immediately several of the recommendations 
were violated, resulting in some number of the exploits that continue to this day.

We were then tangentially involved in the Cal. data breach notification legislation, 
having been brought in to help wordsmith the Cal. electronic signature legislation. Many 
of the parties were heavily involved in privacy issues and had done numerous, indepth, 
public surveys. The number one issue was "identity theft" of the form involving 
fraudulent financial transactions ... frequently as result of data breach. The issue was 
nothing was being done about the problems and so it was hoped that the publicity from the 
notifications might motivate corrective action. Part of the issue is normally 
institutions take security measures in self-interests ... however, the institutions 
having breaches weren't at risk, it was the account holders.

PCI DSS shows up some time after Cal. data breach notification and frequently the joke is 
that if you have a breach ... you loose your PCI DSS certification. It turns out that 
there was a number of Federal "data breach notification" bills introduced, 
preempting state legislation and effectively eliminating notification requirements ... 
citing PCI DSS industry effort as justification for no longer needing notification.

Another problem we've frequently pointed out is current paradigm with "dual 
use" paradigm and even if the planet was covered in miles of information hiding 
encryption, it wouldn't stop data leakage. Account information is used for authenticating 
new transactions and so has a requirement that it be kept totally confidential and never 
divulged to anybody ... but at the same time, account information is needed in dozens of 
business processes at millions of locations around the planet.

disclaimer: we were co-authors of the x9.59 financial transaction standard that 
slightly tweaked the current payment paradigm and eliminated the dual-use 
characteristic .... which then also eliminated the need to hide account 
information and as a result it also eliminated the need for SSL to hide account 
information in electronic commerce transactions .... eliminating the major 
requirement for SSL in the world today.

virtualization experience starting Jan1968, online at home since Mar1970
The cryptography mailing list

Reply via email to