Lynn Wheeler wrote: >the problem with OSCP services is that it supposedly just says yes/no >as to whether the stale, static certificate information is still >applicable or not.
Probably because this is the only thing that is needed. If you need additional information concerning a certified identity, you will in most cases have to ask another party for that. >the payment infrastructure moved out of this archaic design in the 70s >with online authentication and authorization with timely online access >to the actual, real information ... like aggregated information of >sequences of operations ... resulting in things like support for fraud >detection patterns and current account balance. AFAIK credit-card processors are nothing but "OCSP responders" although they don't check card validity only but other stuff but that is only due to the fact that a payment operation has a context that allows other things to be checked. So., I cannot verify your claims at all. At least if I we the *bulk* of the payment market in consideration. 3D Secure (a.k.a. VbV) is an interesting twist to this as it really (under the user's "supervision") connects the merchant and the card- holder's bank for getting as fresh information there can probably be. Also relying on PKI. Scales incredible well as you only need one cert per bank and CC brand. Anders _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
