[9520] in cryptography@c2.net mail archive
Re: [FYI] Did Encryption Empower These Terrorists?
daemon@ATHENA.MIT.EDU (lynn.wheeler@firstdata.com)
Thu Sep 27 10:13:11 2001
To: Ray Dillinger <bear@sonic.net>
Cc: Ben Laurie <ben@algroup.co.uk>, cryptography@wasabisystems.com,
Enzo Michelangeli <em@who.net>, Hadmut Danisch <hadmut@danisch.de>
Message-ID: <OF0A9452E4.BB4D60DD-ON87256AD4.00480B99@LocalDomain>
From: lynn.wheeler@firstdata.com
Date: Thu, 27 Sep 2001 07:07:03 -0600
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
__________________
note that X9.59 standards work spent quite a bit of time attempting to
minimize the number of places that identity might have to occur. In general
an X9.59 account number can be related to a person (i.e. possibly bank regs
related to "know your customer"). It attempts to only do strong
authentication with digital signature ... but leaving as few identity
fingerprints as possible (at least as far as the financial transaction is
concerned). Also, strongly authenticated transactions significantly reduces
the possibility that fraudulent transactions have occured.
Also, since X9.59 standard was to be applicable to all account-based
transactions ... it had to be agnostic with respect to identity information
to cover financial transactions that didn't have the rules and regulations
associated with credit ... say debit and/or even "stored value" (say a
digitally signed version of those "gift cards" that are frequently found at
check-out stands at places like blockbuster, sears, etc).
Ray Dillinger <bear@sonic.net> at 9/26/2001 10:06 AM wrote:
A few problems:
1) in a typical credit card transaction, the seller neither knows,
nor cares, what bank issued the credit card. Thus, connecting
to the correct gateway becomes a minor problem.
2) No provision for dispute resolution. What happens in a month
and a half when george gets his credit card bill back and says
"I've never been there and never done any business with this
person"? The bank generates a chargeback and sends it to the
merchant who, in the absence of knowledge about the buyer's
identity, has no recourse. George may or may not be the person
who made the transaction; but the merchant has no way to even
begin to try to find out.
In general, "anonymity" and "credit" are immiscible. If you want
anonymous transactions, you absolutely cannot abide by the laws
that require chargebacks, merchant and/or bank liability in case
of fraud (instead of consumer liability), etc. Compliance with
those laws requires the merchant and banks to have the very
information that anonymity prohibits them from having.
For anonymous transactions, you want something a whole lot more like
cash, with the same failure modes (ie, no shift of liability in case
of fraud) as cash. That requires infrastructure which will not be
allowed to be built.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
