I'm not sure about "my way".
I worked with this small client/server startup in menlo park that wanted to do electronic payment transactions. Putting up this thing that was the original payment gateway ... in insisted that this thing they had invented called SSL do "mutual" authentication (this was back before there was SSL3) ... and i believe was the original implementation that had both client and server doing certificate based authentication. both the ability to do payments on these servers and the use of client-based certificates seems to have a fairly wide world-wide deployment. is that what you are referring to as "my way". the case for AADS came out of the observation that even tho there were client certificates in the payment gateway case ... all the actual business processing was being done based on accounts ... the certificates were a momentary facade based on the fact that was the way the SSL code worked ... not how the business process worked. In effect, that once the SSL code had done its bit, its way ... there was a business process implementation that did its thing with accounts. misc. refs: http://www.garlic.com/~lynn/aadsm5.htm#asrn3 or is it this thing called the internet .... misc. refs: http://www.garlic.com/~lynn/internet.htm the internet is disruptive technology ... being "open" and getting to be ubiquitous (compared to the earlier closed networks). the transition from close to open has increased the requirement for authentication technology. Passwords have been a weaker authentication technology as well as becoming more cubmersome as electronic world expands and requirement for (shared secret) passwords to be unique in every domain. the issue with certificates is that they really have a design point for the offline environment. the question then is whether the future is going to be online paradigm or offline paradigm. certificates really are a stale, static, read-only, trusted copy of some information sitting around in some account record. the purpose of the certificate is to provide a copy of that stale information when it isn't practical to access the real information. now as to P-cards. the question is what is the primary business driver for p-cards ... 1) outsourcing the business or 2) lack of in-house connectivity. If the primary business driver for p-cards is lack of in-house connectivity ... then there is some reasonable expectation that as business connectivity increases, that purchase operations return more in-house. if a primary business driver for p-cards has been outsourcing to more experienced and scallable operations ... then it is likely that p-cards become more prevalent. a slightly related subject is that in the US, a majority of transit funding comes from the federal government. The federal government have been telling transit authorities that they need to be getting out of the money collection business and turn it over to organizations that specialize in such activity ... and concentrate just on what they are funded for ... moving people. Presumably the reasoning 1) is that organizaitons that specialize in moving money can do it more efficiently than various transit authorities and 2) it shouldn't be necessary for the federal gov. to be subsidizing development and enhancement of transit-specific money collection and management systems (when there are financial institutions that specialize in such activity). in the p-card case (& in transit) there is big difference between real-time auth and the offline stuff that might be done with credentials (aka ... 7-8 years ago ... it was pointed out that credentails were analogous to the signing limit checks ... but then it was observed that one of the reasons for migration to p-cards was there was still fraud with signing limit checks ... offline model didn't support real-time and/or transaction aggregation). while the internet is inexpensive, reduces the cost of doing business and is heading towards providing online ubiquitous connectivity ... one of the reasons that it is inexpensive is just exactly that ... it is inexpensive (aka there are things like SLAs lacking). there was an incident a couple years ago where processing center had divergent routing and redundancy ... with multiple central exchanges feeding into the facility from different physical directions and different physical wires. The central exchanges are suppose to automatically reroute if there is a problem from any one direction. this rerouting is suppose to be under a minute. this particular case, the rerouting was delayed 17 minutes real time. this caused ceo level discussion with the phone entity. imagine large number of facilities not able to execute transactions (transit or retail) during peak rush hour. note that the p-card question implies expectation of online, ubiquitous connectivity ... and is with regard to an online p-card question is with respect to one online implementation (slightly more expensive ... until you take into consideration availability and scaleability) and another online implementation. applying a similar expectation of online, ubiquitous connectivity ... is what raises the issue regarding certificates & certificate based PKI where were invented specifically for addressing an electronic but offline paradigm ... aka there wasn't going any facitlity for directly connecting to the certification authority and/or the authoritative agency for the information being certified (aka in the SSL domain name certificates, while there is a "certification authority" it is typically certifying information that it has checked on with the authoritative agency as to the validity of the information). If the authoritative agency with regard to the information being validated was online line with ubiquitous connectivity ... then certificates become redundant and superfulous ... as well as any certification authority (separate from the authoritative agency). [EMAIL PROTECTED] on 6/4/2002 4:56 am wrote: Lynn, I don't believe (note, "believe" not know for sure), that this where I see the *market* go. I.e. I don't believe that TTP CAs issuing one-to-many credentials, should ever be liable for anything but their *own* activities including the identity of the certified entity. For the latter that liability is likely to be only in the range of $10000-$100000. If you need more you will have to pay a big premium. And if relying parties require more, they will get no customers. Identrus is though heading your way but I have not [yet] seen any signs of the B2B-industry buy into their *lawyer-centric* stuff. VeriSign is good enough and is *much* easier to buy. I don't really see we have a problem with B2B-PKI except that business systems do not support PKI. I.e. their "account records" has neither support for certificates nor for public keys. ========================================= But I know that you think differently and so do many PKI promotors. I still think we have not seen the winner yet. Status quo beats PKI and AADS by a mile. Unfortunately. ========================================= Although interesting, we'd better terminate this thread and give room for other interesting payment-related stuff. Proposed subject: What does P-Cards have for "reason to live" in an on-line society? My answer: null. 3D Secure et al makes centrally maintained profiles a thing of the past. Anders
