>> 3D Secure (a.k.a. VbV) is an interesting twist to this as it really >> (under the user's "supervision") connects the merchant and the card- >> holder's bank for getting as fresh information there can probably >> be. Also relying on PKI. Scales incredible well as you only need >> one cert per bank and CC brand.
>Are you saying that the PKI scales or the infrastructure scales? The infrastructure scales due to a scalable verson of applying PKI. >It would appear to be a descaling of PKI ... since there is only "one >cert per bank". Why complicate things if they can be made simple is the fundamental rule behind 3D Secure. >It is also has some number of operations that could be considered >antithetical to the PKI design point. I have no problems with antithetical (or "unethical") PKI. If it works from a commercial, deployment and security I'm happy. >The consumer bank and the consumer have a predefined relationship. > It is possible for the consumer bank to ship their public key for direct >installation in the consumer's trusted public key repository. In fact they sometimes do but here you have to hold your horses; this certificate has nothing to do with CCs, it is a login/signature solution for the customer to the bank. This PKI is typically in-house while the 3D secure is CC-branded as otherwise merchants would not recognize CC-branded banks. >The PKI design point has trusted third party CAs ... installing >their public key in the consumer's trusted public key repository >... the original model from the original electronic commerce >http://www.garlic.com/~lynn/aadsm5.htm#asrn2 >http://www.garlic.com/~lynn/aadsm5.htm#asrn3 I don't believe in that model anymore. 3D offers so much more possibilities for integration in purchasing systems which the classic model cannot do. Neither can AADS. It is like "federation" for payments. Anders _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
