Hello!
> > 4. At the practical and everyday level, we can be pretty sure that the
> > certs delivered with Netscape and IE are OK. If we go to some fairly
> > well-traversed public site using one of these certs, some red flags will
> > go up when the you get signature mis-matches... That will tip you off
> > that your cert list has been compromised. Besides you could say: "What am
> > I risking? I take a no less a risk when I give my credit card to the
> > cashier, or when I order that L.L. Bean hunting jacket over the phone.
> > Don't bother me with your paranoia."
>
> There in lies part of the problem and also part of the answer on how CA's
> should be structured. The market niche for CA's needs to be defined more
> clearly. Internet credit card commerce did not start to take off until
> last Christmas season when banks generally agreed that a web or internet
> credit card transaction classified as a "card not present" transaction,
> the same as a mail order telephone transaction. The card card holder is
> not liable for misuse or loss. The risk of loss is totally with the
> bank and the merchant.
What you are saying is that I am free to buy stuff on the internet,
sending the seller my creditcard number, and then tell the Bank it was
not me. Given the following attack scenario I cant believe that is the
case:
1) I use my own creditcard to by software on the internet using some
free of charge provider of space and email. Then I go to the nearest
internet-cafe with my zip disk and download the software. I never use
the free space or email again. In this way I can get ANY information for
free virtually without any risk of being caught.
2) Imagine what this means when/if selling of information (eg software)
on the net grows (which is not unrealistic given high performance
connections). Anybody can use my creditcard number to get software for
free. Note that this is NOT the case with the traditional postal order
companies (see above) (or pizza delivery :-) since in that case somebody
needs to physically be present when recieving the merchandise (since the
merchandise is of physical nature). It is hard for the Bank to argue
that I recieved something sent to a total stranger, and it involves some
work for the stranger to cover his tracks if the fraud is large.
The possible gain of the adversary is much larger in the electronic
world than in the real world (the >> scenario described above by
somebody else).
3) Note that everytime you shop in any store or go to a restaurant
somebody sees your card number. Thus it DOES NOT help to use a special
"internet" creditcard/paycard on the internet that wont allow large
payments.
4) If one is paranoid the only way today is to use either a cash-card,
plain old cash, or to be billed ofcourse.
5) We could fix all this with "physically secure" smartcards, and
infrastructure for using them ofcourse.
> An interesting question is "What less of loss is the bank willing to
> absorb before it becomes economically viable for the bank consortiums that
> run Mastercard and Visa to begin issuing and mandating the use of the
> bank issued cert for transactions?" Implementing or mandating the use I
> believe just as big a marketing problem as a technical problem.
I agree, this is not a tech problem.
--
------------------------------------------------------
Douglas Wikström <[EMAIL PROTECTED]>
------------------------------------------------------
Yes, God created Man before Woman,
but one always makes a draft before the masterpiece.
------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
