>> Regarding #4: The digital signature makes the transaction tamperproof.
>But, the transaction is sent twice: once for display in the password >dialog and again for authorization. A digital signature guarantees >integrity through one data transit. But it doesn't guarantee >equivalence of two separate transmissions sent to two separate servers. The transaction sent twice? I do not have the latest draft so I may be misinformed but I though the transaction request (Shopping Cart) was sent to the customers's bank through the browser. The return is not a shopping cart but a payment authorization. >For example, the merchant sends transaction information to issuer for >display in password dialog. Digital signature guarantees issuer >receives untampered transaction data. After authentication, merchant >sends transaction to acquirer. Digital signature guarantees acquirer >receives untampered transaction data. But, the digital signatures don't >ensure the issuer and acquire got the same data. Right? Aqquirer can only use data that the issuer issued (under the control of its client), so I don't understand what the merchant could do in this case. <snip> >> Now I don't have the latest spec. but if 3D Secure does not utilize the >> bank customer's >> existing security solution it is broken and flawed. >What do you mean by "bank customer's existing security solution"? Like >what? I.e. 3D Secure should not introduce a new client security solution as banks have such already. Like certs, SecureIDs one-time PIN-codes etc. Anders
