At 11:52 PM 5/12/02, Brent Clark wrote: > As you might agree, the business of authenticating internet payments > needs to stay within a trusted domain such as financial institutions > rather than a technology company such as Microsoft.
I agree, authentication must not be delegated to Microsoft, or any other company in the software industry. There has never been a software company that has been trusted, instead, due to the darwinian nature of that industry, companies which do not exploit their grips over clients' information in various ways, soon go out of business. The telecoms industry also follows this pattern, e.g. the problem of the Cisco monopoly, the history of ATT breakup etc. Try this: go to any software or telecoms company, and say the phrase "moral hazard." They will look at you like you're nuts. Never heard of the concept. I would like to respectfully disagree however, with the notion that authentication needs to be within the financial industry. Authentication and trust have far, far wider applications than "Owner's instructions to Bank" to reassign a piece of money. There are many other communities working for technical authentication in trade relationships, services, devices, DRM, etc. Banking industry would be wise, for your own self-interest, to join with those other communities. You'll get a more robust and lower-cost solution if we all pull together. My 2c worth, is the carnal act of authenticating oneself should be placed as firmly as possible, with the individual themselves, and OUT of the control of any central authenticating component such as certificate servers. Consumers should buy generic signing devices with pin pads, at Walmart for $20. If they want banking services they would have to come into the branch and strongly associate themselves with their new certificates and keys (the private key is strongly secured within the device, and never leaves the device.) These devices would have various ports for receiving any arbitrary chunk of XML, presenting it on the screen, receiving a PIN and returning the strongly signed document to its sender. The MeT Consortium has done an excellent job documenting this kind of choreography http://www.mobiletransaction.org/ (but stay away from those scenarios controlled by the wireless operator--see "account based payment" etc. ) Todd Boyle CPA ARAP everywhere www.arapxml.net
