[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Online PIN & Server Wallet

To: <set-discuss@xxxxxxxxxxxxxxxxxx>
Subject: RE: Online PIN & Server Wallet
From: "Lyal Collins" <lyalc@xxxxxxxxxxxxxx>
Date: Tue, 14 Dec 1999 07:26:42 +1100
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>

Who cares about "not in the spirit of PKI"?

The end result of what I described is the same, and it is no less secure
than  the password at keyboard models most think we can use 'safely'

I want to see affordable implementations and affordable operational models
for PKI, otherwise, don't waste our time with it.

Regards,
Lyal
> -----Original Message-----
> From: set-discuss-owner@lists.commerce.net
> [mailto:set-discuss-owner@lists.commerce.net]On Behalf Of Anders
> Rundgren
> Sent: Monday, 13 December 1999 20:08
> To: set-discuss@lists.commerce.net; 'Lyal Collins'
> Cc: 'ietf-pkix@imc.org'; 'Matei (DSV)'
> Subject: RE: Online PIN & Server Wallet
>
>
> Lyal,
>
> >- Why not have the Server wallet sign on behalf of the
> cardholder? - they've
> >already authenticated themselves by PIN, thuis no need for a personalised
> >certificate.
>
> Well, your are right about the server-signature but if you put
> this statement in the
> IETF-PKIX-list you will get return messages like "not secure",
> "breaks the intention of PKI" ,
> "the user-environment and equipment is more trustworthy than a
> server" etc.
>
> Naturally these guys will simply be ignored, as today you get
> computer-generated invoices on
> company-papers from energy companies and Telcos. When (if) they
> convert this into PKI,
> I doubt that they will add a human clerk to push "OK" or key
> PIN-codes for each outgoing
> digitally signed invoice.
>
> I do believe though that it would be advantageous (but not
> absolutely necessary) that users also
> performs a signature operation, preferably with the same device
> and mechanism as they do for
> their Internet-banking account.  Here assuming that the server
> wallet is located at the user's bank
> which though may not always be the case.  Some Internet-banks do
> not require signing yet, and
> in those cases your original idea is exactly as good (or bad) as
> their on-line banking services.
>
> Anders
>
> -----------------------------------------------------------------------
> Message addressed to: set-discuss@lists.commerce.net
> Archive available at: http://lists.commerce.net/archives/set-discuss/
> To (un)subscribe send a message with "subscribe" or "unsubscribe" in the
> body to: set-discuss-request@lists.commerce.net
>

Follow-Ups:
- RE: Online PIN & Server Wallet
  - From: Phillip M Hallam-Baker

References:
- RE: Online PIN & Server Wallet
  - From: Anders Rundgren

Prev by Date: Re: Accessing/selecting biometrics was: Stray Poll: Finger-printsin QCs
Next by Date: RE: Online PIN & Server Wallet
Previous by thread: RE: Online PIN & Server Wallet
Next by thread: RE: Online PIN & Server Wallet
Index(es):
- Date
- Thread