[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Online PIN & Server Wallet

To: "set-discuss@xxxxxxxxxxxxxxxxxx" <set-discuss@xxxxxxxxxxxxxxxxxx>, "'Lyal Collins'" <lyalc@xxxxxxxxxxxxxx>
Subject: RE: Online PIN & Server Wallet
From: Anders Rundgren <anders.rundgren@xxxxxxxxxx>
Date: Mon, 13 Dec 1999 10:08:05 +0100
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>, "'Matei (DSV)'" <matei@xxxxxxxxx>

Lyal,

>- Why not have the Server wallet sign on behalf of the cardholder? - they've
>already authenticated themselves by PIN, thuis no need for a personalised
>certificate.

Well, your are right about the server-signature but if you put this statement in the 
IETF-PKIX-list you will get return messages like "not secure", "breaks the intention of PKI" ,
"the user-environment and equipment is more trustworthy than a server" etc.

Naturally these guys will simply be ignored, as today you get computer-generated invoices on
company-papers from energy companies and Telcos. When (if) they convert this into PKI,
I doubt that they will add a human clerk to push "OK" or key PIN-codes for each outgoing
digitally signed invoice.

I do believe though that it would be advantageous (but not absolutely necessary) that users also
performs a signature operation, preferably with the same device and mechanism as they do for
their Internet-banking account.  Here assuming that the server wallet is located at the user's bank
which though may not always be the case.  Some Internet-banks do not require signing yet, and
in those cases your original idea is exactly as good (or bad) as their on-line banking services.

Anders

Follow-Ups:
- RE: Online PIN & Server Wallet
  - From: Lyal Collins

Prev by Date: DS, NR and their legal effects
Next by Date: Re: Accessing/selecting biometrics was: Stray Poll: Finger-printsin QCs
Previous by thread: DS, NR and their legal effects
Next by thread: RE: Online PIN & Server Wallet
Index(es):
- Date
- Thread