>>Bad way: Having the user / card / device recognize the >>authenticity of ATM. Using PKI that would require the >>root(s) of ATM PKIs be carried around. Will not happen. Ever.
>Why not? Let's say I want to do business with bank XYZ. So I get a >certificate from their CA, and put it in my trust store in the card. >Now if I approach a strange ATM, and it provides be a signed >certificate by bank XYZ's CA, I can trust it as much as I trust the >Bank's CA and the trust of its signing process. Eh? There are at least 17000 banks only in the US and ATMs usually support multiple and often independet payment services. Also ATMs may even be signed by the ATM manufacturer so this scheme is hard to scale. Or the ATM has an identy for each payment network. Then things are handled by the networks. Scales much better. I believe this is also how it is done today as the card holder authentication currently is extremely feable. The things you mentioned about skimming, PIN code theft or duplication does not apply to snart devices as they have no direct contact with the outside world. That's one of the reasons why smart devices are likely to have a bright future. _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
