[532] in WWW Security List Archive
SSL and Security issues in General
daemon@ATHENA.MIT.EDU (John Hemming (Chief Executive Mark)
Fri Mar 24 09:53:08 1995
From: "John Hemming (Chief Executive MarketNet )" <JohnHemming@mkn.co.uk>
Date: Fri, 24 Mar 95 10:49:03 -800
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I am responding to this because of our activities in the
financial area.
> 1) The protocol specifies security enhanced communications between
> a client and a merchant. From my understanding of the protocol
> (version: RFC of Feb 9th 1995), the identity of the merchant is always
> authenticated and that of the client is optionally authenticated.
> Will this optional authentication of the client form a security
> hole in that there are opportunities to masquerade a client? In the
> attack analysis provided in Appendix D of the RFC, I cannot see you
> have any analsis of this threat. Why not?
>
> 2) I assume that the protocol is proposed mainly for enhancing a web
> browser into an electronic commerce tool (that's why I use "merchant"
> instead of "server" as you phrased). Thus, payment transactions are
> inevitable. Has the protocol specified any mechanism to facilitate an
> electronic payment transaction? Where? When I speak of electronic
> payment transaction, I refer to the situation where the payer's
> signature is not physical, but digital. We need the payer to sign a
> payment order in order to prevent repudiation. How is this done in
> SSL?
Our objective with BankNet is to enable people to sign payment
instructions with a digital signature. Initially a paper signed
contract is needed to authorise this process. However,
subsequently instructions to transfer funds or other transactions
will be digitally signed. We will not use the client authentication
components of SSL as the digital signature will be proof of
identity.
We may use the client authentication components of SSL to confirm
the client for the provision of secure data, however.
(eg Bank Statements, Investment Portfolios etc)
John
