"Anders Rundgren" <[EMAIL PROTECTED]> writes: > In fact they sometimes do but here you have to hold your horses; > this certificate has nothing to do with CCs, it is a login/signature > solution for the customer to the bank. This PKI is typically > in-house while the 3D secure is CC-branded as otherwise merchants > would not recognize CC-branded banks.
so the consumer doesn't need a PKI public key when they are dealing with their own bank ... they could just record a certificateless public key http://www.garlic.com/~lynn/subpubkey.html#certless for their financial institution in their trusted public key store. this also would eliminate many of the bank site spoofing vulnerabilities ... recent discussion http://www.garlic.com/~lynn/2005l.html#19 in the above ... it discusses various kinds of spoofing and MITM-attacks ... where the end user is provided with a URL ... rather than entering it themselves. Then you have an exploit of SSL ... which is only verifying the domain name in the entered URL against the domain name in the supplied certificate. If you aren't entering the URL ... but it is being provided by an attacker ... then they are likely to provide a URL that corresponds to a certificate that they have valid rights for. This has been a long recognized characteristic. http://www.garlic.com/~lynn/subpubkey.html#sslcert A consumer, having vetted a bank's public key for storing in their own trusted public key repository ... then can use that vetted public key for future communication with their financial institution ... and not be subject to vulernabilities and exploits of an externally provided (certificate-based) public key that has had no vetting .. other than it is a valid public key and belongs to somebody. The purpose for PKI has been for allowing relying parties to establish some level of trust when dealing with first-time encounters with entities that are otherwise complete strangers ... and the relying party has no other recourse for accessing information to establish trust. The design point was somewhat from the early 80s when there was much lower level of online connectivity and relying parties frequently operated in offline environment. With the ubiquitous proliferation of the internet, those offline pockets are being drastically reduced. Somewhat as a result, some PKIs have attempted to move into the no-value market segment ... where a relying party is online ... but the value of the operation doesn't justify performing a online transactions. The issue user is that as the internet becomes much more pervasive ... the cost of online internet operations are radically dropping ... which in turn is drastically reducing the no-value situations that can't justify an online operation. Presumably in the 3d secure PKI scenario, it has a financial institution's CC-specific certificate that is targeted specifically at relying parties that have had no prior dealings with that financial institution(*?*). Presumably this implies the merchant as a relying party in dealing with the consumer's financial institution (the other alternative is possibly the consumer as a relying party in dealing with the merchant's financial institution ... but I have seen nothing that seems to support that scenario). Now, going back to well before the rise of PKI to address the offline trust scenario ... the payment card industry had online transactions that went from the merchant through a federated infrastructure all the way to the consumer's financial instititon and back as straight through processing. This included contractual trust establishment with various kinds of obligations and liabilities ... that included the consumer's financial institution assuming certain liabilities on behalf of the consumer and the merchant's financial institution assuming certain liabilities on behalf of the merchant. Possibly because of these obligations ... both financial institutions have interest in the transaction passing through them. As mentioned before ... it appears that 3d secure doesn't eliminate the existing online real-time transaction that conforms to some significant contractual and liability obligations. 3d secure appears to add an additional, 2nd online transaction ... allowing the merchant to be directly in communication with the consumer's financial institution (bypassing the established contractual and liability obligations involving the merchant's financial institution). Furthermore, this 3d secure appears to include a PKI certificate ... targeted at establishing trust where the relying party has no other recourse for trust establishment. However, the merchant is already covered under the contractual trust operations that have been standard business practice for decades. So what possible motivation is there for a merchant to add additional overhead and processing(*?*). -- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
