begin quoting Nicholas Wheeler as of Fri, Dec 01, 2006 at 10:58:56AM -0500: > On 11/30/06, Stewart Stremler <[EMAIL PROTECTED]> wrote: > > > >I'm really suprised the credit-card companies haven't gotten involved. > >They have the insfrastructure for managing large numbers of > >transactions; they have the trust of the customers and the vendors; they > >have ready-made tokens on hand; and if I'm using my American Express to > >authenticate with an online vendor, chances are that as long as I have > >that card out, I'll use it to make the purchase as well. > > > > "Sign in now with your credit card! You can trust us!" > > I don't see how I'd ever trust a system that required my credit card for > authentication.
You'd use a smart card, issued by the credit card companies. NOT the magstripe here-is-your-credit-card-information type. You're quite right that merely providing the credit card information wouldn't be any good for authentication. And it should go both ways. The vendor would offer a certificate to you, issued by the credit-card company, so that you could verify that the credit-card company did, indeed, think the vendor was legit. Using PKI and a common CA (the one run by the credit-card company), you can mutually authenticate with a vendor, without disclosing your credit card number. When you do buy, and reveal your credit card number, and the vendor plays silly buggers with that data, the fraud department of the credit card company can revoke their certificate *and* authorization. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
