[2546] in WWW Security List Archive
Re: Security/Privacy of Certificates in Netscape 3.0
daemon@ATHENA.MIT.EDU (Wayne Wilson)
Mon Jul 29 21:26:30 1996
Date: Mon, 29 Jul 1996 17:35:20 -0400 ()
From: Wayne Wilson <wwilson@umich.edu>
To: www-security@ns2.rutgers.edu
In-Reply-To: <2.2.32.19960729185017.006dec50@dustin.verisign.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 29 Jul 1996, Paul Meijer wrote:
>
> SSN and birthdate, among other things, are used to authenticate identity.
> This is also why we request a credit card number. We don't charge credit
> cards for services unless we state so EXPLICITLY. We indicate that our Class
> 2 Service is in beta and we state that we do not charge the applicant's
> credit card. We do check the Equifax credit database, and we use the credit
> card check to help authenticate identity.
>
But do you keep these data items (SSN, Driver's license, VISA)
permanently in some file or database system? I imagine you could just
keep them until the Equifax on-line query clears and then drop them, or at
least the VISA number part of it. I am not so concerned with sending any
of this information over SSL (or equivalent encryption) but I am concerned
with what happens to it at your site, and that you never say. How secure
are your databases? What kinds of precautions are you taking to prevent
un-authorized access to these databases? Are they available via an
un-encrypted network stream for things like internal system maintainence
and development? (For example, if you use Oracle as a DBMS, then do you
have SQLNET up and running over TCP/IP and do you force all SQLNET
connections to use encryption?) Do you use re-useable passwords on your
internal systems or do you use one-time systems?
