Re: mother's maiden names...

2005-07-14 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], R.A. Hettinga writes: At 12:26 PM -0400 7/13/05, Perry E. Metzger wrote: Why do banks not collect simple biometric information like photographs of their customers yet? Some do. Cambridge Trust puts your picture on the back of your VISA card, for instance. They have

Re: mother's maiden names...

2005-07-14 Thread Charles M. Hannum
On Wednesday 13 July 2005 18:29, Mike Owen wrote: Back in 2000, I opened an account with BofA, and they took a photo of me, and added it to my debit/check card. Around that same time, American Express was doing the same with their Costco branded cards. I'm sure others are doing it, those are

Re: ID theft -- so what?

2005-07-14 Thread Ian Grigg
On Wednesday 13 July 2005 23:31, Dan Kaminsky wrote: This is yet more reason why I propose that you authorize transactions with public keys and not with the use of identity information. The identity information is widely available and passes through too many hands to be considered secret in

Re: the limits of crypto and authentication

2005-07-14 Thread Rich Salz
I think that by eliminating the need for a merchant to learn information about your identity I have aimed higher. Given that we're talking about credit instruments, Wasn't that a goal of SET? /r$ -- Rich Salz Chief Security Architect DataPower Technology

Re: mother's maiden names...

2005-07-14 Thread Peter Gutmann
Perry E. Metzger [EMAIL PROTECTED] writes: Why is it, then, that banks are not taking digital photographs of customers when they open their accounts so that the manager's computer can pop up a picture for him, which the bank has had in possession the entire time and which I could not have forged?

Re: UK EU presidency aims for Europe-wide biometric ID card

2005-07-14 Thread Stefan Kelm
when we were called into help word-smith the cal. state and later the fed. electronic signature law ... a lot of effort went into making the wording technology agnostic as well as trying to avoid confusing authentication and identification. We've been discussing those very same topics within

Re: mother's maiden names...

2005-07-14 Thread Janusz A. Urbanowicz
On Wed, Jul 13, 2005 at 12:26:52PM -0400, Perry E. Metzger wrote: A quick question to anyone who might be in the banking industry. Why do banks not collect simple biometric information like photographs of their customers yet? Some, like Citibank do. I have a photo on my VISA from them, but

Re: mother's maiden names...

2005-07-14 Thread Perry E. Metzger
[EMAIL PROTECTED] (Peter Gutmann) writes: Perry E. Metzger [EMAIL PROTECTED] writes: Why is it, then, that banks are not taking digital photographs of customers when they open their accounts so that the manager's computer can pop up a picture for him, which the bank has had in possession the

Re: ID theft -- so what?

2005-07-14 Thread Perry E. Metzger
Ian Grigg [EMAIL PROTECTED] writes: It's 2005, PKI doesn't work, the horse is dead. He's not proposing PKI, but nymous accounts. The account is the asset, the key is the owner; Actually, I wasn't proposing that. I was just proposing that a private key be the authenticator for payment card

Re: the limits of crypto and authentication

2005-07-14 Thread Perry E. Metzger
Rich Salz [EMAIL PROTECTED] writes: I think that by eliminating the need for a merchant to learn information about your identity I have aimed higher. Given that we're talking about credit instruments, Wasn't that a goal of SET? Some of it was, yah. I don't claim that any of this is

Re: ID theft -- so what?

2005-07-14 Thread Greg Troxel
Jörn Schmidt [EMAIL PROTECTED] writes: The answer to this dilemma? I'm afraid this time it really is legislation. Frankly, I'm not even sure if that would work but, at this time, it's our best shot. Congress won't do anything about this unless a few representatives have their identities

Re: mother's maiden names...

2005-07-14 Thread Ian Brown
Steven M. Bellovin wrote: Cambridge Trust puts your picture on the back of your VISA card, for instance. They have for more than a decade, maybe even two. One New York bank -- long since absorbed into some megabank -- did the same thing about 30 years ago. They gave up -- it was expensive

Re: EMV

2005-07-14 Thread Enzo Michelangeli
AFAIK, the cards are still the same (Sony FeliCa: http://www.sony.net/Products/felica/): I never changed mine since I got it several years ago. The same card was also adopted in 2002 by EZ-Link in Singapore (http://www.ezlink.com.sg ). Enzo - Original Message - From: Anne Lynn Wheeler

Re: mother's maiden names...

2005-07-14 Thread Alexander Klimov
On Wed, 13 Jul 2005, Perry E. Metzger wrote: Why is it, then, that banks are not taking digital photographs of customers when they open their accounts so that the manager's computer can pop up a picture for him, which the bank has had in possession the entire time and which I could not have

Re: the limits of crypto and authentication

2005-07-14 Thread Anne Lynn Wheeler
Rich Salz wrote: Wasn't that a goal of SET? there was an observation that SET possibly wouldn't divulge your account number until the merchant had been determined to be some entity registered as a merchant (akin to the SSL domain name infrastructure certificates ... if a spoofed site didn't use

Re: ID theft -- so what?

2005-07-14 Thread Ian Grigg
(Dan, in answer to your question on certs, below.) On Thursday 14 July 2005 14:19, Perry E. Metzger wrote: Ian Grigg [EMAIL PROTECTED] writes: It's 2005, PKI doesn't work, the horse is dead. He's not proposing PKI, but nymous accounts. The account is the asset, the key is the owner;

Re: ID theft -- so what?

2005-07-14 Thread Aram Perez
RANT-PET_PEEVEWhy do cryptography folks equate PKI with certificates and CAs? This fallacy is a major root cause of the problem IHO. Why was the term PKI invented in the late 70s/early 80s (Kohnfelder's thesis?)?. Before the invention of asymmetric cryptography, didn't those people who

Re: the limits of crypto and authentication

2005-07-14 Thread Aram Perez
On Jul 14, 2005, at 6:23 AM, Perry E. Metzger wrote: Rich Salz [EMAIL PROTECTED] writes: I think that by eliminating the need for a merchant to learn information about your identity I have aimed higher. Given that we're talking about credit instruments, Wasn't that a goal of SET? Some

Re: the limits of crypto and authentication

2005-07-14 Thread Amir Herzberg
Pat Farrell wrote: On Wed, 2005-07-13 at 23:43 -0400, Rich Salz wrote: I think that by eliminating the need for a merchant to learn information about your identity ... Wasn't that a goal of SET? As I recall, the goal of SET was to have a standard that was not invented by CyberCash. (I may

Re: ID theft -- so what?

2005-07-14 Thread John Kelsey
From: Aram Perez [EMAIL PROTECTED] Sent: Jul 14, 2005 10:45 AM To: Cryptography cryptography@metzdowd.com Subject: Re: ID theft -- so what? RANT-PET_PEEVEWhy do cryptography folks equate PKI with certificates and CAs? One nontrivial reason is that many organizations have spent a lot of time and

Re: the limits of crypto and authentication

2005-07-14 Thread Pat Farrell
On Thu, 2005-07-14 at 18:43 +0200, Amir Herzberg wrote: Pat Farrell wrote: As I recall, the goal of SET was to have a standard that was not invented by CyberCash. (I may be biased, I worked at CyberCash at the time). This is incorrect. The main politics around SET was the artificial

Re: the limits of crypto and authentication

2005-07-14 Thread Perry E. Metzger
Aram Perez [EMAIL PROTECTED] writes: While the SET protocol was complicated, it's failure had nothing to do with that fact or the lack of USB on PCs. You could buy libraries that implemented the protocol and the protocol did not require USB. IMO, the failure had to do with time-to-market

Re: ID theft -- so what?

2005-07-14 Thread Perry E. Metzger
Ian Grigg [EMAIL PROTECTED] writes: This is not a new realization -- this goes back a long way. OK, so maybe this part is the new realisation: No, it isn't a new realization either, Ian. We all knew from nearly the start that the model we were using in browsers was wrong. I don't know anyone

Re: the limits of crypto and authentication

2005-07-14 Thread Anne Lynn Wheeler
Aram Perez wrote: While the SET protocol was complicated, it's failure had nothing to do with that fact or the lack of USB on PCs. You could buy libraries that implemented the protocol and the protocol did not require USB. IMO, the failure had to do with time-to-market factors. In the late

Re: the limits of crypto and authentication

2005-07-14 Thread Anne Lynn Wheeler
Pat Farrell wrote: As others have said, and in the spirit of the subject of this thread, SET failed for many reasons, many of them economic. There was little effort made to bribe the merchants, I think there was talk of a 26 basis point change in the discount rate, which the banks thought

Blind Signature Patent Expiration Party this Saturday

2005-07-14 Thread Perry E. Metzger
Forwarded at Lucky's request: Date: Thu, 14 Jul 2005 18:28:40 +0200 From: Lucky Green [EMAIL PROTECTED] Subject: Blind Signature Patent Expiration Party this Saturday Friends, colleagues, and co-conspirators, It has been 17 long years and now the time is finally here to celebrate at the:

Re: mother's maiden names...

2005-07-14 Thread J
--- Dan Kaminsky [EMAIL PROTECTED] wrote: Bank Of America put my photo on my ATM card back in '97. They're shipping me a new one right now, so I assume they kept it in the DB. My local bank asked me apply for a Visa photo credit card back in 1998. There were two problems though: 1.) Their