There is possible serious confusions over the four corner model basically a client walks into a relying-party and says that they want something and that their consumer financial institution will certify that there will be an exchange of value .... aka the merchant will be payed.
the relying-party/merchant sends off an online request to certify the consumer's assertion. It winds it thru various places and gets back to the merchant as either certified or not certified. The certification part is exactly as in the stale, static certificate based model, the consumer or public key owner, the consumer's financial institution (or certification body), and the merchant (or relying party). The business aspects are identical to the stale, static certificate based model, except it uses a online, realtime certification. So what is the purpose of the fourth entity? In the credit card processing model, the 4th entity is the merchant's financial institution that has signed up to be legally liable for their merchants. In effect, when the consumer executes a credit card transaction with a merchant, it is in some sense actually being executed with the merchant's financial institution .... with the merchant effectively acting as an agent of their financial institution. The credit card associations have their relationships with financially liable financial institutions (both on the consumer side and on the merchant side). In the cconsumer/merchant transactions, both are effectively acting as agents of their respective financial institutions which carry the ultimate financial liability. The traditional industry scenario is the bankrupt airline. If the ticket had been bought and paid for ahead of time with cash or debit card, the consumer is pretty much out of luck. If the ticket had been bought and paid for by credit card, then if the airline goes backrupt, the airline's (merchant) financial institution is legally liabily for restitution to the consumer. Merchant financial institutions are quite ambivalent about airlines as merchants; on one hand they tend to get a percentage of bigger ticket transactions and on the other hand some of them had to make good on several tens of millions in outstanding airline tickets when there was a bankruptcy. The transaction flows through the (4th corner) merchant's financial institution because the merchant's financial institution is legally liable for the transaction and it happens to implement things like its own fraud detection and handling process. There are some infrastructures where credit type operations have been implemented using only a three corner model. In those situations, individual merchants have signed contracts directly with every issuing consumer financial institution. However it scales extremely poorly, imagine possibly hundreds of thousands or millions of merchants, each signing individual contracts with tens of thousands of consumer financial institutions (aka on the order of four million times thirty thousand equals 120 billion contracts). The four corner model is a valid business model with all four parties filling a valid business role .... totally independent of whether the delivery vehicle involves offline, stale, static certificates. As repeatedly stated, the requirement given the X9A10 working group for the X9.59 standard was to preserve the integrity of the financial infrastructure for all electronic retail payments. The X9.59 standard applies to whether it is a 1) two-corner model; relying-party-only (as in most of the stored-value in the US), 2) three-corner model (as in debit transactions, which doesn't involve a financial institution having legal liability for their merchants) 3) four-corner model (where there is consumer and relying party ... and both have legally liable financial institutiosn) As implied in the authentication and identification subject line it is possibly to totally confuse the issue of authentication and identication. Just as easily, it appears to be equally possible to totally confuse the certification business process with the mechanism for deliverying the certification (aka online, realtime, as opposed to offline, stale, static certificates) And then it seems that it is equally possible to confuse the underlying business model with the implementation of the certification business process. It is possible in the X9.59 implementation to have account-based operations with digital signature authentication for the operation involving absolutely no static, stale certificates, and the same exact protocol apply to the two-corner (stored value), three-corner (debit) and four-corner (credit) transaction process. Also, as has previously pointed out that the account-based model not only applies to the financial account infrastructure (where the value of doing a online, realtime authentication and authorization easily outweigths the costs) but is also essentially the indentical implementation for the majority (possibly 99.9999999 percent) of the world-wide ISP internet access (authentication and authorization). misc. references: http://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working" http://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and Identiification? http://www.garlic.com/~lynn/aepay11.htm#67 Confusing Authentication and Identiification? http://www.garlic.com/~lynn/aepay11.htm#68 Confusing Authentication and Identiification? http://www.garlic.com/~lynn/aepay11.htm#69 Confusing Authentication and Identiification? http://www.garlic.com/~lynn/aepay11.htm#70 Confusing Authentication and Identiification? (addenda) http://www.garlic.com/~lynn/aepay11.htm#71 Account Numbers. Was: Confusing Authentication and Identiification? (addenda) http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda) http://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing Authentication and Identiification? (addenda) -- Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm [EMAIL PROTECTED] on 6/26/2003 3:187 pm wrote: A somewhat related issue is how banks currently take the lead in Europe as CAs. [Offering stale certificates that though are on-line verifiable at least]. Unfortunately banks have converted PKI into a new form of payment system (a.k.a. Four-corner Model), in spite of PKI not requiring transferal of anything between banks, as the relation (and transaction) is between the client and the relying party. Fortunately at least the Swedish authorities begin to see that this is maybe not such a good thing for them. http://www.x-obi.com/OBI400/e-government-ID-A.Rundgren.pdf I doubt that the cost for OCSP-services of a large CA even accounts for 10% of the total.
