"Anders Rundgren" <[EMAIL PROTECTED]> writes: > I don't believe in that model anymore. 3D offers so > much more possibilities for integration in purchasing > systems which the classic model cannot do. Neither > can AADS. It is like "federation" for payments.
see later question about whether 3d is doubling the number of online transactions ... and also possibly attempting to force fit a trusted third party CA PKI business model (for providing trust between two entities that have had no prior interaction and/or communication) as redundant and superfluous business operation where there already exists contractual existing relationship. http://www.garlic.com/~lynn/2005l.html#12 http://www.garlic.com/~lynn/2005l.html#13 http://www.garlic.com/~lynn/2005l.html#14 as mentioned ... it is unlikely that 3D (going directly from the merchant to the consumer financial institution) is actually replacing the existing payment message transport ... unless it is actually suggesting that the merchant financial institution is no longer involved representing the merchant ... and that the consumer financial institutions will be assuming all liability responsiblity for the merchant. futhermore if you study the existing infrastructure ... not only does the federation of payments already exist ... but there are long term contractual trust vehicles in place that support that support that federaion of payments (between merchant, merchant financial instituation, association, consumer financial institution, and consumer). if it isn't replacing the existing real-time, online, single round-trip, straight-through processing ... that directly involves all the financially responsible parties ... then presumably it is just adding a second, online, real-time transaction to an existing online, real-time transaction? (doubling the transaction and processing overhead). one of the things that kindergartern, security 101 usually teaches is that if you bifurcate transaction operation in such a way ... you may be opening up unnecessary security and fraud exposures ... in addition to possibly doubling the transaction and processing overhead. now, the design point for the stale, static, PKI model was for establishing trust for a relying party that had no other recourse about first time communication with a party where no previous relationship existed. Supposedly 3d (assuming that it is just adding a second realtime, online transaction to an already existing, realtime online transaction) is doubling the number and overhead of online, realtime transactions .... in addition to managing to craft in some stale, static PKI processing. the AADS model doesn't do anything about federation or non-federation of payments. AADS simply provides for providing improved authentication technology integrated with transaction. http://www.garlic.com/~lynn/index.html#aads There have been some significant protocols defined over the past several years ... where authentication was done as an independent operation ... totally separate from carrying authentication on the transaction itself. In all such cases that I know of, it has been possible to demonstrated man-in-the-middle (MITM) attacks http://www.garlic.com/~lynn/subpubkey.html#mitm where authentication is done separately from the actual transaction. in the mid-90s the x9a10 financial standards working group was tasked with preserving the integrity of the financial infrastructure for all retail payments ... and came up with x9.59 http://www.garlic.com/~lynn/index.html#x959 http://www.garlic.com/~lynn/subpubkey.html#privacy which simply states that transaction is directly authenticated. some recent posts (in totally different thread) going into some number of infrastructure vulnerabilities and the x9.59 financial standard countermeasures: http://www.garlic.com/~lynn/aadsm19.htm#17 What happened with the session fixation bug? http://www.garlic.com/~lynn/aadsm19.htm#32 Using Corporate Logos to Beat ID Theft http://www.garlic.com/~lynn/aadsm19.htm#38 massive data theft at MasterCard processor http://www.garlic.com/~lynn/aadsm19.htm#39 massive data theft at MasterCard processor http://www.garlic.com/~lynn/aadsm19.htm#40 massive data theft at MasterCard processor http://www.garlic.com/~lynn/aadsm19.htm#44 massive data theft at MasterCard processor -- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
