[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Finding PKIX Servers!

To: kudzu@xxxxxxxx
Subject: Re: Finding PKIX Servers!
From: "Perry E. Metzger" <perry@xxxxxxxxxxxx>
Date: 08 Feb 1999 11:28:07 -0500
Cc: Andrew Probert <AndrewP@xxxxxxxxxxxx>, ietf-pkix@xxxxxxx
In-reply-to: Michael Sierchio's message of "Sun, 07 Feb 1999 23:25:40 -0800"
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <> <>
Reply-to: perry@xxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

Michael Sierchio <kudzu@dnai.com> writes:
> "Perry E. Metzger" wrote:
> 
> > To put it another way: when you walk in to the book store to buy a
> > book, the store doesn't care a bit about who you are. They care about
> > whether they will be PAID, and knowing you have a valid cert tells
> > them nothing about that. What they need is a signed statement from their
> > accepting bank saying they will be paid -- and that doesn't require a
> > Global PKI to set up. It might use a PKI set up by the bank or credit
> > network for its own use, but it doesn't need a *GLOBAL* PKI.
> 
> There are two separate issues here -- if we're talking about
> presenting a cert as part of authorizing a transaction,  the
> merchant may very well be interested in identity -- certainly
> in non-repudiation.

Again, no, this is not the case.

What the merchant wants is to get word back from the accepting bank
that they will be paid. The issuing bank wants to know that you are
who you say you are -- not the merchant.

> One of the current hazards of ecommerce
> is that it is considered a "mail order" transaction,  and the
> merchant may be liable in the case of fraud -- both by statute
> and bank agreement.

That only happens right now because the issuing bank has no strong
authentication of the request to pay. Again, ultimately, the merchant
does not care who you are except for things like the ability to do
marketing or customer service -- and just knowing who you are tells
them *nothing* about whether they will be paid or not. Their real need 
is for a digitally signed message from the accepting bank saying "you
will be paid $100", not for some vague knowledge that somewhere out
there some bank has issued you a cert.

> The other issue is one of maintaining directories of such
> certs -- it has to be asked what purpose this serves.  It
> is a form of publishing trusted public key values, perhaps?
> A way for parties without prior agreement to exchange secure
> mail?  Does this have anything to do with PKI in se?   It 
> has no effect in the example described.

Cert directories are totally unneeded in the model I'm describing
because the issuing bank can just store the cert (or even a naked
public key) with the account information.

Perry

Follow-Ups:
- Re: Finding PKIX Servers!
  - From: Michael Sierchio

References:
- RE: Finding PKIX Servers!
  - From: Andrew Probert
- Re: Finding PKIX Servers!
  - From: Perry E. Metzger
- Re: Finding PKIX Servers!
  - From: Michael Sierchio

Prev by Date: Re: Finding PKIX Servers!
Next by Date: Usage of CRL Issuing Distribution Point
Previous by thread: Re: Finding PKIX Servers!
Next by thread: Re: Finding PKIX Servers!
Index(es):
- Date
- Thread