X9.59 mailing list

x959 Postings and Posting Index, previous - home



Four Corner model. Was: Confusing Authentication and Identification? (addenda)
Confusing business process, payment, authentication and identification
Confusing business process, payment, authentication and identification
Confusing business process, payment, authentication and identification
Confusing business process, payment, authentication and identification
Law aims to reduce identity theft
Know Your Enemy Automated Credit Card Fraud (automated, forwarded)
Bugwatch: Know your security onions
Know your security onions (or security proportional to risk)
New privacy rules could mean headaches for financial services IT
Feds Want Banks to Warn of ID Theft
Net Worm Heightens Security Concerns
Identity theft rockets 80 per cent
Hacker's compromise Navy purchase card
Technology and Crime, Criminal Intelligence Service Canada - 2003
Yodlee offers standard interface to smooth the electronic bill payment process
Bahrain Takes Swipe Into the Future With News Smart ID Cards
Solving the payment problem for open source and P2P file sharing
DNS inventor says cure to net identity problems is right under our nose
Tech firms band together on ID theft
Federal agencies’ banking system moves online
FTC Says ID Theft Greater Problem Than Originally Thought
some X9.59 (and little FSTC) ... from crypto mailing list ... fyi
Police smash UK's biggest credit card fraud ring
More on the ID theft saga
Cyber Security In The Financial Services Sector
Bank One Calls Attention to ID Theft
A Uniform Resource Name (URN) Namespace for SWIFT Financnail Messaging
Carnegie Mellon to host first US-based intl'l conference on electronic commerce
Cashing In With E-Payments
ID Theft Often Goes Unrecognized
End of the line for Ireland's dotcom star
Internet Fraud & Attacks on the rise
Microsoft, Sterling Aid SWIFT Users
Retail wireless security: a few considerations
Citibank customers hit with e-mail scam
DNS, yet again


Four Corner model. Was: Confusing Authentication and Identification? (addenda)

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/26/2003 07:55 PM
To: Anders Rundgren <anders.rundgren@xxxxxxxx>
cc: internet-payments@xxxxxxxx, epay@xxxxxxxx
Subject: Re: Four Corner model. Was: Confusing Authentication and Identification? (addenda)
There is possible serious confusions over the four corner model

basically a client walks into a relying-party and says that they want something and that their consumer financial institution will certify that there will be an exchange of value .... aka the merchant will be payed.

the relying-party/merchant sends off an online request to certify the consumer's assertion. It winds it thru various places and gets back to the merchant as either certified or not certified.

The certification part is exactly as in the stale, static certificate based model, the consumer or public key owner, the consumer's financial institution (or certification body), and the merchant (or relying party). The business aspects are identical to the stale, static certificate based model, except it uses a online, realtime certification.

So what is the purpose of the fourth entity? In the credit card processing model, the 4th entity is the merchant's financial institution that has signed up to be legally liable for their merchants. In effect, when the consumer executes a credit card transaction with a merchant, it is in some sense actually being executed with the merchant's financial institution .... with the merchant effectively acting as an agent of their financial institution. The credit card associations have their relationships with financially liable financial institutions (both on the consumer side and on the merchant side). In the consumer/merchant transactions, both are effectively acting as agents of their respective financial institutions which carry the ultimate financial liability.

The traditional industry scenario is the bankrupt airline. If the ticket had been bought and paid for ahead of time with cash or debit card, the consumer is pretty much out of luck. If the ticket had been bought and paid for by credit card, then if the airline goes bankrupt, the airline's (merchant) financial institution is legally liability for restitution to the consumer. Merchant financial institutions are quite ambivalent about airlines as merchants; on one hand they tend to get a percentage of bigger ticket transactions and on the other hand some of them had to make good on several tens of millions in outstanding airline tickets when there was a bankruptcy. The transaction flows through the (4th corner) merchant's financial institution because the merchant's financial institution is legally liable for the transaction and it happens to implement things like its own fraud detection and handling process. There are some infrastructures where credit type operations have been implemented using only a three corner model. In those situations, individual merchants have signed contracts directly with every issuing consumer financial institution. However it scales extremely poorly, imagine possibly hundreds of thousands or millions of merchants, each signing individual contracts with tens of thousands of consumer financial institutions (aka on the order of four million times thirty thousand equals 120 billion contracts).

The four corner model is a valid business model with all four parties filling a valid business role .... totally independent of whether the delivery vehicle involves offline, stale, static certificates.

As repeatedly stated, the requirement given the X9A10 working group for the X9.59 standard was to preserve the integrity of the financial infrastructure for all electronic retail payments.

The X9.59 standard applies to whether it is a

1) two-corner model; relying-party-only (as in most of the stored-value in the US),
2) three-corner model (as in debit transactions, which doesn't involve a financial institution having legal liability for their merchants)
3) four-corner model (where there is consumer and relying party ... and both have legally liable financial institutions)

As implied in the authentication and identification subject line it is possibly to totally confuse the issue of authentication and identification.

Just as easily, it appears to be equally possible to totally confuse the certification business process with the mechanism for delivering the certification (aka online, realtime, as opposed to offline, stale, static certificates)

And then it seems that it is equally possible to confuse the underlying business model with the implementation of the certification business process.

It is possible in the X9.59 implementation to have account-based operations with digital signature authentication for the operation involving absolutely no stale, static certificates, and the same exact protocol apply to the two-corner (stored value), three-corner (debit) and four-corner (credit) transaction process.

Also, as has previously pointed out that the account-based model not only applies to the financial account infrastructure (where the value of doing a online, realtime authentication and authorization easily outweighs the costs) but is also essentially the identical implementation for the majority (possibly 99.9999999 percent) of the world-wide ISP internet access (authentication and authorization).

misc. references:
http://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working"
http://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#67 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#68 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#69 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#70 Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#71 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)

anders.rundgren@xxxxxxxx on 6/26/2003 3:187 pm wrote:
A somewhat related issue is how banks currently take the lead in Europe as CAs. [Offering stale certificates that though are on-line verifiable at least]. Unfortunately banks have converted PKI into a new form of payment system (a.k.a. Four-corner Model), in spite of PKI not requiring transferal of anything between banks, as the relation (and transaction) is between the client and the relying party.

Fortunately at least the Swedish authorities begin to see that this is maybe not such a good thing for them.

http://www.x-obi.com/OBI400/e-government-ID-A.Rundgren.pdf

I doubt that the cost for OCSP-services of a large CA even accounts for 10% of the total.


Confusing business process, payment, authentication and identification

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/28/2003 02:27 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Confusing business process, payment, authentication and identification
You may be absolutely correct that the Four Corner model is the single biggest inhibitor to the wide-scale deployment of PKI.

The Four Corner model actually requires a legally binding chain of trust (somewhat analogous to chain of evidence in legal proceedings) as the fundamental basis for a real live, sound business-based, trust network.

The majority of the PKIs are technical descriptions that wave their hands about trust networks but absolutely fail to provide any legally binding and/our sound business basis for trust operations and contractual recourse.

Having a valid, real-live sound business trust network as a counter-example to some artifact that just waves its hands about being a trust network (w/o any sound business basis) is probably a real downer.

Before continuing the description, I wonder if we can come to an agreement that we aren't talking about authentication and payment as purely academic, theoretic concepts totally unrelated to any useful purpose? Furthermore, can we agree that the majority of the people in the world aren't going out every day, entering retail establishments and performing random acts of payment and/or random acts of authentication unrelated to any useful business activity (aka they aren't at the retail establish to obtain goods or services, they are purely there to perform random acts of payment and authentication). That the payment and authentication constructs being discussed are occurring within the context of some business operation or purpose (nominally some exchange of value is occurring .... aka somebody buys something as opposed to giving away money for no reason what so ever).

Furthermore, the traditional four corner model is slightly more than the guy trying to sell the brooklyn bridge and saying trust me, there are financially responsible parties for both the consumer and merchant with contracts and legal recourse (w/o the N times M scaleup problem requiring 120 billion independent contracts). The four corner model isn't trivial payment system for the enjoyment of people wanted to perform random acts of payment.

As outlined in the original post, the merchant financial institution is the legally liable party for the merchant and the consumer/issuer financial institution is the legally liable party for the consumer. There are specific contractual and business relationships based on exchange of value that are the basis for this relationships. Asserting that the fourth party does nothing but add cost is like saying that the insurance business process does nothing but add cost. The four corner model is providing contractual legal recourse trust operating in both directions .... a contractual trust chain for the merchant to the consumer, and a contractual trust chain for the consumer to the merchant.

The reference post and the URL pointers to ones with similar content go to some great length to describe valid, recognized legally liable, contractual relationships. And as further explained that it is typically only governments that can pass laws that create legal liabilities when there is no business foundation for such to exist.

A trust network is an artificial construct that has actual business relationship between all parties (or some fictional business relationship created by government mandate). In the normal, offline, stale, static certificate based infrastructure, there is no valid business relationship that exists between the certifying body and the relying-party. In all of the existing online scenarios (like the credit network), the online transaction directly between the certifying body and the relying party creates a contractual relationship (where none exists in the stale, static certificate paradigm).

As been repeatedly been pointed out in similar past discussions of this subject, the GSA created the facade of the business infrastructure relationship by contractual relationships between all the the TTP CAs as a legal agent of the GSA and all the relying parties having contracts with the GSA with regard to the acceptance of certificates. That provided the basis for contractual relationship and recourse between the relying-parties and the TTP CAs .... by having a third party (the GSA) have a valid contract with each of the relying-parties (and the TTP CAs having contracts with the GSA such that they effectively operated as a GSA legal agent).

The GSA infrastructure created a legally binding relationship with four corners (the certificate owner, the certifying TTP CA, the GSA, and all the relying parties) that doesn't exist at all in the traditional 3-corner trust network stale, static certificate paradigms. The example of some places in the world trying to deal with establishing valid business and contractual relationship (where none actually exists in the traditional trust network description) results in N times M set of bilateral contracts which scales poorly (i.e. four million merchants and thirty thousand financial institutions results in 120 billion contracts).

A real trust network is sort of like chain of evidence in legal proceedings. In real live business world, there has to be some real live basis for legal liability and recourse, normally this is a valid contract. In some cases, governments can create artificial legal liability and resource when there is no direct business basis for it.

Ok, in the financial four corner model there is actually two totally independent trust operations occurring simultaneously.

1) the consumer has contract with their financial institution that they can trust, the consumer financial institution (effectively) has a contract with the merchant financial institution (that they can trust), and the merchant financial institution has contract with the merchant. That means that there is direct contractual relationship, the consumer trusts their bank, their bank trusts the merchant bank, and the merchant bank trusts the merchant. If the chain of trust is broken with regard to the consumer trusting the merchant, the merchant bank stands in.

2) the merchant has contract with their financial institution that they can trust, the merchant financial institution (effectively) has a contract with the consumers financial institution (that they can trust), and the consumer's financial institution has a contract with the consumer. That means that there is a direct contractual relationship, the merchant trusts their bank, their bank trusts the consumers bank, and the consumer bank trusts the consumer. If the chain of trust is broken with regard to the merchant trusting the consumer, the consumer bank stands in.

In the majority of the existing TTP CAs implementation, there is a contractual basis for trust based on exchange of value between the consumer (public key owner) and the TTP CA (certifying body) based on exchange of value, the consumer pays for buying the certificate. There is absolutely no legally, valid chain of trust that establishes a trust network between the TTP CA and the merchant (relying party).

There is no basis for it from a business perspective. THERE IS ABSOLUTELY NO BUSINESS RELATIONSHIP BETWEEN THE MERCHANT AND THE TTP CA THAT ESTABLISHES THE BASIS OF TRUST so there is no chain of trust and there is no trust network. A government can pass legislation claiming there is, but there is no business basis for one. GSA fabricated one with contracts with the TTP CAs, making them agents of the GSA and direct contracts between the GSA and all the relying parties (somewhat mitigating the N times M scaleup problem requiring every possible relying party to have a separate contract directly with every possible TTP CA).

In the financial four corner model there is actually a step-by-step process that establishes the individual trust chain links which form a chain of trust resulting in a trust network. Furthermore, there are actually simultaneously two trust operations going on, one in each direction .... the merchant trusting the consumer and the consumer trusting the merchant.

So, who is legally liable if the merchant goes bankrupt and/or skips town if the acquirer doesn't exist? Unless the merchant has a legally binding contract with the consumer's financial institution, the consumer's financial institution has no contractual relationship for acting on the behalf of the consumer. Furthermore, the merchant doesn't have any basis for acting against the consumer's financial institution, if the consumer doesn't pay.

So, in the previous posts & examples, X9.59 was shown as equally applying to the two-corner model, the three-corner model, and the four-corner model. As you pointed out payments and authentication are different issues. Authentication and payments are applicable to a range of business environments.

The four corner model represents independent agents financially representing their respective clients. The four corner model is somewhat analogous to civil litigation where both parties have their respective lawyers to represent their individual interests. One of the parties is not participating in civil litigation and is assuming that their opponents lawyer can be replied upon to represent their interests (as opposed to their opponents interests).

some past discussion of GSA contractual infrastructure necessary to establish PKI trust network:
http://www.garlic.com/~lynn/aadsm12.htm#22 draft-ietf-pkix-warranty-ext-01
http://www.garlic.com/~lynn/aadsm12.htm#41 I-D ACTION:draft-ietf-pkix-sim-00.txt
http://www.garlic.com/~lynn/aadsm12.htm#42 draft-ietf-pkix-warranty-extn-01.txt
http://www.garlic.com/~lynn/aadsm14.htm#37 Keyservers and Spam
http://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working"

random refs:
http://www.garlic.com/~lynn/aadsm14.htm#41 certificates & the alternative view
http://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working"
http://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#67 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#68 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#69 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#70 Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#71 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay12.htm#0 Four Corner model. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay7.htm#3dsecure 3D Secure Vulnerabilities? Photo ID's and Payment Infrastructure
http://www.garlic.com/~lynn/2002m.html#19 A new e-commerce security proposal
http://www.garlic.com/~lynn/2002n.html#25 Help! Good protocol for national ID card?

anders.rundgren@xxxxxxxx on 6/28/2003 7:59 am wrote:
"The four corner model is a valid business model with all four parties filling a valid business role .... totally independent of whether the delivery vehicle involves offline, stale, static certificates."

On the contrary. If the TTP (credential issuer) is a part of a rust-network, the fourth corner (acquirer) is redundant as there is nothing a fourth party can add but costs[1]. That is, if we talk about authentication, and not about the transferal of money.

1] Including:
- Subscription fees,
- Transaction fees,
- Proprietary trust network software,
- Relying party credential issuance and configuration
- Trust network arbitration software

I claim that the Four Corner model is the single most hampering thing to wide-scale PKI-deployment because it makes receivers' possibly pay for messages that they maybe did not even wanted!

In paper-based messaging (excluding all kinds of payment systems), the "sender" typically puts on a stamp on a letter to get it distributed. This makes sense, four-corner does not.

By confusing payments with authentication, the finical industry have shot themselves in the foot. Have anybody heard about a receiver-financed authentication trust network that actually makes money?

Or have you recently SWIFT TrustActed? I don't think so.

May I end this letter citing an interview with Bill Gates?

Q: In 1995, you wrote in your book, "The Road Ahead," that IT will realize friction-free capitalism by excluding middlemen and directly connecting buyers and sellers. Do you still believe in the idea?

A: Oh absolutely. I believe there should be no markup in any area of the B2B marketplace. If you want to buy and sell from anyone in the world, you should just get very inexpensive software. They'll let you see every seller and let you do complex transactions without anybody marking up the cost of what you're buying. XML Web services are needed for that, and that's what we're doing. It's a key building block of friction-free capitalism.

Anders


Confusing business process, payment, authentication and identification

Refed: **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/28/2003 08:33 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Re: Confusing business process, payment, authentication and identification
Ok, non-payment situation .... right out of previous email. in court of law ... involving civil litigation ... both parties have their own lawyers

ok, from SSL/TLS with TTP CA .... and mutual authentication; both parties have a TTP CA and both parties have certificates from their respective TTP CAs. Just as in the financial four corner model ... there are situations where the merchant bank and the consumer bank may be the same financial institution; in which case they refer to the transaction as "on us". The four corner model doesn't absolutely preclude a financial institution being the same for both parties .... but it operates in such a way that it allows that the merchant can be certified by one entity and the consumer can be certified by another entity ... and it isn't required as part of mutual authentication ... that the certifying agency be the same for both the merchant and the customer.

The whole point of the detailed discussion of the merchant and the consumer in the four corner model was to show the chain of trust going in both direction.

The chain of trust goes in both directions .... one for the merchant and one for the consumer .... in the financial four corner model

The chain of trust tries to go in both directions .... one for the server and one for the client ... in the SSL/TLS mutual authentication four corner model.

The problem in the TTP CA SSL/TLS (almost) PKI for mutual authentication .... is the server doesn't actually have any business relationship with the client's certifying body and the client doesn't actually have any business relationship with the server's certifying body, without valid business relationship and recourse ... there is only the facade of a trust network but one doesn't actually exist (in either direction).

The TTP CA business model with stale, static certificates is actually even worse (note that a TTP CA model with online certification doesn't suffer from this horribly inverted business model). The client is paying the TTP CA for the client's certificate .... which exists for the benefit of the server (and in some cases the existence of a client certificate can actually be to the detriment of the client). The server is paying the TTP CA for the server's certificate .... which exists for the benefit of the client. Not only does the stale, static certificate paradigm have the exchange of value occur between the wrong parties .... but the exchange of value between the wrong parties lends itself to precluding a real network of trust being implemented.

When the client pays for their own certificate to the client's TTP CA, for the server;s benefit, it precludes there being a valid business relationship and chain of trust between the server and the client's TTP CA. When the server pays for their own certificate to the server's TTP CA, for the client's, it precludes there being a valid business relationship and chain of trust between the client and the server's TTP CA.

In the online (financial) four corner model, the server pays the client's TTP CA for certification of the client; that creates the basis for legal obligation between the client's TTP CA and the server for a valid chain of trust.

The real, major difference between a 3-corner TTP CA and a four corner TTP CA .... isn't whether it is financial or not, it is whether there is mutual authentication/certification or only single authentication/certification.

The real, major problem with TTP CAs implemented with stale, static certificates ... is it fails to create a legal relationship between the certification authorities and the relying parties. The server's TTP CA has no obligation to the client, and the client's TTP CA has no obligation to the server. Therefore there is no chain of trust, therefore it is just a pure fabrication about any real trust network.

As previously noted. GSA attempted to overcome this total lack of the TTP CA model to any resemblance of valid business proposition by all of their contracts.

It has been pretty well shown that any entity can sue any other entity.

A merchant can sue a customer for fraud and a customer can sue a merchant for fraud. The issue is can a merchant sue a certifying body for anything at all with regard to what a customer does. Typically a merchant suing a certifying body with regard to some customer's action is only to the extent that the certifying body has some obligation to a merchant. In a simple TTP CA stale, static certificate model, without a business relationship between the merchant and the consumer's TTP CA , no business relationship has been created between the consumer's TTP CA and the merchant. Therefore there is no grounds to sue.

Similarly, a client suing a certifying body with regard to some merchant's action is only to the extent that the certifying body has some obligation to the client. In a simple TTP CA stale, static certificate model, without a business relationship between the consumer and the merchant's TTP CA, no business relationship has been created between the merchant's TTP CA and the consumer. Therefore there is no grounds to sue.

All four corners exist in all situations when there is any kind of mutual certifying process between two parties; aka
1) PARTY A,
2) PARTY A's certification institution,
3) PARTY B,
4) PARTY B's certification institution.

The horrendous problem in the traditional TTP CA stale, static certificate business model is that
1) no obligation is created between PARTY A's certification institution and PARTY B
2) no obligation is created between PARTY B's certification institution and PARTY A

so no trust network ever actually exists. As been repeated pointed out in the past several posts, that is possibly one of the motivating factors in all of the GSA contracts with TTP CAs and relying-parties ... creating a valid basis for a trust network.

Possibly there is some other assumptions that aren't being clearly understood. In general, certifying bodies exist when there is little or no reason for two totally complete strangers (that might have some business opportunity) for trusting each other. Two entities that have some past business relationship may not feel they need independent certification authority. However, whether a certifying process is used or not doesn't preclude either party from performing some fraudulent act. This goes back to the whole original concept of these certification bodies in the first place, which is to establish trust when there is usually no other basis for trust. Trust doesn't eliminate fraud but it possibly lowers its probability.

In the four corner, credit model there is quite a bit that is guaranteed. As previously pointed out, the merchant's financial institution is actually on the hook for merchant delivering contracts goods or services or refunding money (as per the bankrupt airlines example).

I don't understand the issue about the four corner model and identity fraud. A business model and obligations don't preclude fraud. They may somewhat lower its probability but it doesn't lower it. As been repeatedly mentioned in the past several posts, quite a bit of identity fraud is a shared-secret issue. X9.59 is specifically targeted at

1) strongly authenticated transactions
2) elimination of the account number as a shared-secret (and therefore as a subject of identity fraud)

3) elimination of additional identity information or shared-secret information as a means of authenticating the transaction

X9.59 is agnostic with respect to identification .... only performing authentication.

However, X9.59 can contribute significantly to reduction in identity fraud by eliminating any requirement for shared-secret and/or identity information as part of the financial transaction.

Furthermore, the X9.59 characteristic applies to 2-corner model, 3-corner model, and 4-corner model

The issue of somebody's use of a 4-corner model as opposed to choosing a 2-corner model or a 3-corner model seems to have nothing at all to do with identity fraud issues. The business issues of 2-corner, 3-corner, and 4-corner business process implementations is almost totally orthogonal to the business issues related to identity fraud.

The design of the transactions and the selection of what kind of information is required for the transactions can have a significant effect on identity fraud.

My assertion is that the prevalence of identity fraud is at least partially a characteristic of the significant reliance on shared-secrets and identity related information in much of the deployed infrastructures today (totally independent of how many corners they may have). The further assertion (as in the X9.59 case), if it is possible to steal every piece of information in the transaction and still not perform a fraudulent transaction based on that information, several types of existing fraudulent activity would be eliminated.

x9.59 references:
http://www.garlic.com/~lynn/x959.html#x959

repeated references to gsa contract:
http://www.garlic.com/~lynn/aadsm12.htm#22 draft-ietf-pkix-warranty-ext-01
http://www.garlic.com/~lynn/aadsm12.htm#41 I-D ACTION:draft-ietf-pkix-sim-00.txt
http://www.garlic.com/~lynn/aadsm12.htm#42 draft-ietf-pkix-warranty-extn-01.txt
http://www.garlic.com/~lynn/aadsm14.htm#37 Keyservers and Spam
http://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working"
http://www.garlic.com/~lynn/aepay12.htm#1 Confusing business process, payment, authentication and identification

anderrs.rundgren@xxxxxxxx on 6/28/2003 3:32 pm wrote:
I believe we are in agreement with what the fourth corner does in a trust network, it is like the relying party's insurance, link to the law, etc.

A problem as I see it is what the fourth corner (or TPP CA) is prepared to vouch for in an non-payment situation. It can surely not make any warranties (in contrast to payments) about the value and credibility of the client, only that it has performed an RA and certification process according to some written practice statements.

Does the RP need a business relation with the trust network in order to be able to sue a misbehaving client who is repudiating its actions? Some people claim that, I don't. If the signature can be technically derived to the client's key, the client is toast. Is the fourth corner is supposed to protect the RP from client key misuse/theft? I would say that this would be a very bad idea as the key may have been used to open information banks of incredible value that no insurance will cover and is not possible to rollback either. Authentication <> Payments!

But if the faulty operation is due to certification errors, probably due to identity fraud? Then we enter the real CA liability scene. RP contracts have the same function as US SW licenses: To make you aware that nothing is really guaranteed, it is sold "as is". Is this acceptable? This is hard to say, it is rather depending on how frequent errors are and the consequences of those.

A problem is that a fourth corner can do nothing about identity fraud which in my opinion makes it less viable regardless of its possible legal value.

So of course it is good to have business relations between parties in a trust network, but don't expect to get compensation when things go REALLY wrong. It is also rather hard to run court trials regarding information theft as it is hard to put a value on copied information. Due to these problems I believe the fourth corner is something that bank-operated trust networks should not take for granted. Particularly if it causes business parties to pay for received messages rather than (or in addition to) for sending messages.


Confusing business process, payment, authentication and identification

Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/29/2003 10:27 AM
To: "Anders Rundgren" <anders.rundgren@xxxxxxxx>
cc: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Re: Confusing business process, payment, authentication and identification
as in previous posts ... there would seem to be two ways that legal obligations are created,

1) contracts
2) gov. regulations

for the most part, value exchange can occur to help fund a business operation (aka can a TTP CA operate on no funds and no revnue?, salaries, electricity, communication, etc):

1) by value exchange (ala some reason for an entity to purchase a certificate, either because they see some benefit or because it is mandated by the government)
2) government subsidies
3) industry subsidies

we had a little bit of experience related to TTP CAs in support of SSL trusting webservers and the whole thing is the client really talking to the merchant that they think they are talking to. Originally it was thot to be in use generally for e-commerce .... but possibly somewhat because of the expense of the operation it was reduced more & more to just secrecy hiding of credit card numbers. slight reference
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3

it has now been nine years since we started the work on the above ... as well as some detailed investigation (diligence) of the prominent TTP CAs at the time (operationally and business).

The stale, static certificates were being doing done to certify the domain name of the webserver that the client was talking to. There was no real PKI .... which is the reason we coined the term certificate manufacturing (as an aid in distinquishing it from real PKI).

or is the idea that every ten years .... we hold a party to decide that PKIs haven't found a purpose in life yet ... and we decide to again take a new look 3-5 years from now to again see what really happened.

so, we actually have a past comparison of drivers license. For a long time the drivers license was used in an offline world. You get stopped, the officer looks at the drivers license, and then either writes a ticket or doesn't write a ticket. Traditional TTP CA stale, static certificate offline paradigm. Currently, if would appear that there has been a major transition to the online world for anything of value. The number off the driver's license is used to perform an online transaction which can bring up real-time and aggregated information, including image and physical description.

The assertion was never that stale, static certificates were totally useless. The assertion was that stale, static certificates were better than nothing in an offline evironment. In the transition to a ubiquitous, online connectivity, the issue becomes a value trade-off of having direct, realtime, online access to the real information .... or relying on a stale, static copy of the real information that was manufactured at some point in the past.

The issues aren't payment; the issues are offline vis-a-vis online and the importance or value of having or not having the informatioin.

The assertion is in an offline world, that a stale, static certificate is possibly viewed as better than having no information.

The assertion that something of value is involved, or it wouldn't even be a consideration that something better than nothing is required. If nothing of value was involved, then it would be possible to get by w/o having either online access or a stale, static certificate copy of the online information.

The assertion is that it becames a value trade-off, the better quality information of online, real-time, and/or aggregated information against the poorer quality of stale, static information manufactured at some time in the past vis-a-vis the incremental cost of online.

The assertion is that the payment industry made the trade-off decision in the early '70s that the higher quality online, real-time, aggregated information more than justified the online access.

The assertion is that the ubiquitous and pervasive deployment of online world is drastically narrowing the market segment for stale, static offline world.

It IS NOT a question of payment vis-a-vis other infrastructures. it is purely a question does the value of the operation justify the incremental cost of online. As the pervasiveness of online spreads and the costs continue to decline, the market niche for offline gets smaller and smaller.

It IS NOT a question of payment vis-a-vis other infrastructures. Right now today, transit payment is almost totally offline, the assertion is that because the value of the individual transactions, the timing constraints at transit turnstyles, and the relative cost of online create a market segment for low-valued payment to still be an offline operation. There is assertion that declining costs of online will erode this market segment as an offline infrastructure.

It isn't payment vis-a-vis other stuff; it is purely value of the operation, increased beneift of online, realtime, aggregated vis-a-vis offline, stale, static, and costs of online vis-a-vis offline.

past threads on drivers license and/or aggregated information
http://www.garlic.com/~lynn/aadsm11.htm#39 ALARMED ... Only Mostly Dead ... RIP PKI .. addenda
http://www.garlic.com/~lynn/aadsm11.htm#40 ALARMED ... Only Mostly Dead ... RIP PKI ... part II
http://www.garlic.com/~lynn/aadsm12.htm#26 I-D ACTION:draft-ietf-pkix-usergroup-01.txt
http://www.garlic.com/~lynn/aadsm12.htm#27 Employee Certificates - Security Issues
http://www.garlic.com/~lynn/aadsm12.htm#32 Employee Certificates - Security Issues
http://www.garlic.com/~lynn/aadsm12.htm#52 First Data Unit Says It's Untangling Authentication
http://www.garlic.com/~lynn/aadsm13.htm#2 OCSP value proposition
http://www.garlic.com/~lynn/aadsm13.htm#3 OCSP and LDAP
http://www.garlic.com/~lynn/aadsm13.htm#4 OCSP and LDAP
http://www.garlic.com/~lynn/aadsm13.htm#5 OCSP and LDAP
http://www.garlic.com/~lynn/aadsm13.htm#20 surrogate/agent addenda (long)
http://www.garlic.com/~lynn/aadsm14.htm#17 Payments as an answer to spam (addenda)
http://www.garlic.com/~lynn/aadsm14.htm#20 Payments as an answer to spam (addenda)
http://www.garlic.com/~lynn/aepay10.htm#73 Invisible Ink, E-signatures slow to broadly catch on
http://www.garlic.com/~lynn/aepay10.htm#74 Invisible Ink, E-signatures slow to broadly catch on (addenda)
http://www.garlic.com/~lynn/aepay10.htm#75 Invisible Ink, E-signatures slow to broadly catch on (addenda)
http://www.garlic.com/~lynn/aepay11.htm#68 Confusing Authentication and Identiification?
http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/96.html#17 middle layer
http://www.garlic.com/~lynn/98.html#41 AADS, X9.59, & privacy
http://www.garlic.com/~lynn/99.html#238 Attacks on a PKI
http://www.garlic.com/~lynn/2000.html#86 Ux's good points.
http://www.garlic.com/~lynn/2000e.html#39 I'll Be! Al Gore DID Invent the Internet After All ! NOT
http://www.garlic.com/~lynn/2001.html#67 future trends in asymmetric cryptography
http://www.garlic.com/~lynn/2001e.html#76 Stoopidest Hardware Repair Call?
http://www.garlic.com/~lynn/2001f.html#77 FREE X.509 Certificates
http://www.garlic.com/~lynn/2001m.html#4 Smart Card vs. Magnetic Strip Market
http://www.garlic.com/~lynn/2001n.html#56 Certificate Authentication Issues in IE and Verisign
http://www.garlic.com/~lynn/2002h.html#27 Why are Mainframe Computers really still in use at all?
http://www.garlic.com/~lynn/2002m.html#20 A new e-commerce security proposal

anders.rundgren@xxxxxxxx on 6/29/2003 1:45 am wrote:
Lynn!
Before wasting too much list bandwidth, lets conclude that the TTP CA business and legal models are still to be determined by establishing practices. Not a single case have to my knowledge reached a court yet so [all] this is just "theory", "habits", and "speculation", albeit rather interesting such :-)

The following lines show that TTP CAs may have a long way to go:

"In a simple TTP CA stale, static certificate model, without a business relationship between the merchant and the consumer's TTP CA , no business relationship has been created between the consumer's TTP CA and the merchant. Therefor there is no grounds to sue."

An odd thing is that a major reason Identrus use a four-corner model is to have the relying party sign a contract freeing Identrus from liability! I.e. this is like accepting a typical US SW contract which says "AS IS", "NOT FIT FOR MISSION-CRITICAL USE", etc.

Without having RP-contracts TPP CAs are (they claim so at least), potentially liable for whatever bad things the consumer does. I'm not the one to tell if this is wrong or not. Frankly, I don't _anybody_ with certainty can claim that something is right or wrong based on no practical experience at all, as this kind of TTP activity (unlike payments), is totally different from anything else we know. Drivers' licenses or passports are not comparable in any way as there is no physical appearance supporting the identification process.

Lets take a new look in 3-5 years from now and see "what really happened".

It will be a truly Darwinian process....

Anders


Confusing business process, payment, authentication and identification

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/29/2003 04:28 PM
To: epay@xxxxxxxx
cc: internet-payments@xxxxxxxx
Subject: Re: Confusing business process, payment, authentication and identification
i was not so much seeing this part of the thread as what to build .... but what were some of the constitute components and driving factors of the operational infrastructures (aka was it possible for government to mandate stale, static certificates even if it made no economic sense in a rapidly evolving online world).

we've had somewhat related activity in the standards privacy working group. the surface analysis was to take the existing privacy regulation and legislation and codify it.

the behind the scenes analysis from 1999 was that driving factors in privacy related regulatory and legislative activity was

1) identity theft and
2) (institutional) denial of service.

There would continue to be a lot of regulatory and legislative activity as long as there was identity theft and/or denial of service happening (basically some fundamental economic driving issues). Some amount of this activity suspended in the wake of 9/11 but didn't disappear. In the recent march timeframe, the prediction was a lot of the regulatory and legislative privacy related activity would start to see a lot more action by the summer .... which appears to be coming to pass.

Which then somewhat gets things back to the subject line of confusing all kinds of things with identification.

The x9.59 scenario with respect to being agnostic with respect to privacy is that the integrity of a payment transaction can be significantly raised at the same time removing any ancillary need for shared-secrets and/or privacy information in conjunction with the payment.

There was a reference to GSA (a government entity) resorting to bilaterial contracts with all of the individual entities (TTP CAs and relying parties) in attempt to provide stale, static certificates some legal foundation. Rather than forcing all relying parties to have individual contracts with each and every TTP CA ... they effectively made all of the TTP CAs agents of the GSA (via contract) and then every relying party had contract with GSA. This addressed the requirement for N times M individual contracts (as in the discussion of some parts of the world ... which scales poorly in situation where N times M equals 120 billion).

t.c.jones@xxxxxxxx 6:29/2003 12:51 pm wrote:
I would not try to build a single system that could handle value transfers for regular business use and for government payments.

The major reason is the legal liability. Business contracts typically involve civil penalties. Government mandates, and our responses to them, typically involve criminal penalties. In the business case identity is seldom necessary for transactions that do not involve real-estate. In fact the increasing concern for privacy somewhat mandates that user's can limit the data transfered about themselves. This is where account-based transactions should be targeted. In the government case identity is nearly always required by law or regulation, and privacy is typically not available.

I believe that payments from purchasers to merchants is the problem that we have some chance of solving here. Government payments will be mandated and will probably not be designed for any of the purposes that business desires.

Let's focus on what we can effect.


Law aims to reduce identity theft

From: Lynn Wheeler
Date: 06/30/2003 11:56 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Law aims to reduce identity theft
http://news.com.com/2100-1019_3-1022341.html
Law aims to reduce identity theft

By Robert Lemos
Staff Writer, CNET News.com
June 30, 2003, 2:41 PM PT

A California law that requires e-commerce companies to warn consumers when their personal information may have been stolen could provide a boost for security firms.

The Security Breach Information Act (S.B. 1386), which goes into effect Tuesday, requires companies that do business in California or that have customers in the state to notify consumers whenever their personal information may have been compromised.

Companies that fail to properly lock down information or to notify consumers of intrusions could be sued in civil court.

... snip ...

also ... text of bill

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Know Your Enemy Automated Credit Card Fraud (automated, forwarded)

From: Lynn Wheeler
Date: 07/10/2003 01:07 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Know Your Enemy Automated Credit Card Fraud (automated, forwarded)
Patrick McCarty <mccartyp@xxxxxxxx> wrote:
Subject Know Your Enemy - Automated Credit Card Fraud

The Honeynet Project is excited to announce the release of a new paper in the Know Your Enemy series, "Automated Credit Card Fraud." The paper describes how a certain criminal community, who call themselves carders, have established sophisticated tools and methods that perform such functions as

* Providing a stolen credit card and personal information upon request
* Verifying that a credit card is currently valid
* Determining the security code (CVV2) associated with a credit card
* Determining the available credit remaining on a credit card

These tools also identify retailers vulnerable to credit card fraud, exploits that can compromise inadequately defended e-commerce sites, and means of concealing on-line identity during criminal activity.

The related criminal activity is global in scope, significant in volume, and conducted largely in open IRC channels. Despite policing by operators of some IRC networks, and shutdown of some high-activity channels, several IRC networks and many IRC channels continue to provide automated support of credit card fraud. One of the most disturbing aspects of this activity is just how simple and pervasive this has become.

Know Your Enemy Automated Credit Card Fraud
http://www.honeynet.org/papers/profiles/cc-fraud.pdf


Bugwatch: Know your security onions

From: Lynn Wheeler
Date: 08/07/2003 07:05 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Bugwatch: Know your security onions
http://www.vnunet.com/News/1142875
Bugwatch: Know your security onions

The biggest ever cyber-crime involved the theft of more than a million credit card numbers from online banks and retailers across 20 countries.

... snip ...

Know your security onions (or security proportional to risk)

From: Lynn Wheeler
Date: 08/07/2003 07:37 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: re:: Know your security onions (or security proportional to risk)
On 8/7/2003, 7:27 pm, lynn.wheeler@xxxxxxxx wrote:
http://www.vnunet.com/News/1142875

Bugwatch: Know your security onions

The biggest ever cyber-crime involved the theft of more than a million credit card numbers from online banks and retailers across 20 countries.


note that this is somewhat related to the tale about trust documents from the most recent risks-forum ... archived at:
http://catless.ncl.ac.uk/Risks/22.83.html
current weeks copy at:
http://www.csl.sri.com/users/risko/risks.txt

and an old discussion about security proporitional to risk:
http://www.garlic.com/~lynn/2001h.html#61

One of the issues in x9.59 was to remove the account number as a vulnerability .... since it is in such widespread use .... that it would be practically impossible to cover the earth in sufficient layers of security and encryption to eliminate the vulnurabilities. some discussions about the difficulty of protection for paradigms involving widely distributed shared-secrets that happen to be extensively used in lots of business processes:
http://www.garlic.com/~lynn/aadsm14.htm#33 An attack on paypal

New privacy rules could mean headaches for financial services IT

From: Lynn Wheeler
Date: 08/12/2003 09:01 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: New privacy rules could mean headaches for financial services IT
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,83877,00.html
New privacy rules could mean headaches for financial services IT

A ballot initiative and a judge's ruling may reach beyond California

By JAIKUMAR VIJAYAN
AUGUST 11, 2003

A consumer-privacy-related ballot initiative by a political group in California could complicate matters for financial services companies that are already scrambling to comply with other regional and federal privacy mandates.

And just like the recently instituted California state privacy law SB 1386 (see story), the proposed ballot measure will have a nationwide reach, privacy experts said.

.. snip ...

Feds Want Banks to Warn of ID Theft

From: Lynn Wheeler
Date: 08/13/2003 01:31 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Feds Want Banks to Warn of ID Theft
http://www.internetnews.com/fina-news/article.php/2248241
August 13, 2003
Feds Want Banks to Warn of ID Theft
By Roy Mark

Federal bank and thrift regulatory agencies issued proposed guidelines Tuesday to require financial institutions to develop programs to respond to incidents of unauthorized access to customer information, including procedures for notifying customers under certain circumstances.

.. snip ...

Net Worm Heightens Security Concerns

From: Lynn Wheeler
Date: 08/16/2003 06:26 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Net Worm Heightens Security Concerns

http://www.washingtonpost.com/wp-dyn/articles/A60273-2003Aug14.html

a number of quotes in the above about financial related crimes ... one such

McNevin said stolen financial data, such as credit card numbers, often ends up for sale or auction on Web sites.

One such site promises that stolen credit card data includes birth dates and Social Security numbers. Prices are based on the credit limits of the cards.

"These are not thugs," McNevin said of the worm developers. "These are astrophysicists and computer scientists who have been brought in to take down or compromise systems."

Experts said the financial industry often keeps such attacks quiet, for fear of upsetting customers and giving publicity to the hackers.


.. snip ...

slightly related from a couple months ago:
http://www.w3w3.com/CSSB.htm

Identity theft rockets 80 per cent

From: Lynn Wheeler
Date: 08/16/2003 08:36 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Identity theft rockets 80 per cent
http://www.vnunet.com/News/1142517
Identity theft rockets 80 per cent
By Robert Jaques [23-07-2003]
And the danger isn't only on the internet, warns analyst

Identity theft in the US has leapt by 79 per cent over the last year, with only a one in 700 chance of thieves being caught, industry watchers have warned.

According to analyst firm Gartner, seven million American adults - 3.4 per cent of all US consumers - were victims of identity theft during the 12 months ending June 2003.

.. snip ...

"Many banks, credit card issuers, cell phone service providers and other enterprises that extend financial credit to consumers don't recognise most identity theft fraud for what it is," Litan said.

"Instead they mistakenly write it off as credit losses, causing a serious disconnect between the magnitude of identity theft that innocent consumers experience and the industry's proper recognition of the crime."

"This causes a disincentive to fix the problem with the urgency it requires."

.. snip ...

Hacker's compromise Navy purchase card

From: Lynn Wheeler
Date: 08/21/2003 03:32 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Hacker's compromise Navy purchase card

http://www.gcn.com/vol1_no1/daily-updates/23217-1.html
08/21/03
Hackers compromise Navy purchase cards
By Dawn S. Onley

Hackers recently broke into a Navy system and gained access to 13,000 Navy purchase cards, according to Defense Department officials who are investigating the incident.

The DOD Purchase Card Program Management Office has issued a release stating that the Navy has cancelled all of its purchase card accounts (about 22,000) to minimize the number of unauthorized purchases, and is working closely with the issuing company, Citibank.


.. snip ...

Technology and Crime, Criminal Intelligence Service Canada - 2003

From: Lynn Wheeler
Date: 08/25/2003 11:51 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Technology and Crime, Criminal Intelligence Service Canada - 2003

http://www.cisc.gc.ca/AnnualReport2003/Cisc2003/technology2003.html

... snip ...

As technologies for conducting on-line commercial transactions evolve, so do opportunities for fraud. Identity theft and payment card fraud are among the most frequently occurring types of fraud in Canada according to Phonebusters, a fraud reporting agency administered by the Ontario Provincial Police in cooperation with the RCMP. Identity theft provides opportunities for criminals and/or members of organized crime groups to assume a false identity and obtain funds illegally. The use of sophisticated peripherals such as laser printers, digital cameras, scanners, and desktop publishing software can also offer the opportunity to facilitate the production of false identities and counterfeit documents.

Asian-based and Eastern European-based organized crime groups are reported to be extensively involved in large-scale elaborate payment card fraud schemes as well as other fraud-related criminal activity throughout the country.

There are instances in which the modification and/or enhancement of existing technology may also allow criminals to facilitate fraud-related crimes. In March 2003, Ontario-based individuals with suspected ties to organized crime persuaded unsuspecting merchants into using modified point-of-sale machines. These machines, fitted with a "skimming" device, would sit for a period of time capturing payment card information until the device was retrieved by the criminals. In December 2002, several individuals were charged with debit card fraud and fraud over $5,000 after participating in an elaborate automated teller machine fraud scheme orchestrated by members of an Eastern European-based organized crime group. This scheme, which stretched across the country, had an attributed loss of over $1.2 million. Electronic mail is also used to facilitate schemes such as stock market manipulation, frequently referred to as pump and dump or slump and dump schemes, telemarketing schemes, as well as proliferating malicious code programs such as the SLAMMER worm in January 2003.

... snip ...

Yodlee offers standard interface to smooth the electronic bill payment process

From: Lynn Wheeler
Date: 08/26/2003 02:10 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Yodlee offers standard interface to smooth the electronic bill payment process

http://www.informationweek.com/story/showArticle.jhtml?articleID=13100935
An offering from financial-services software vendor Yodlee Inc. will provide a standardized interface for connecting to "biller-direct" Web sites of nearly 2,500 lenders, credit-card, and mortgage companies, as well as nonfinancial billers such as mobile-phone, cable-TV, and long-distance companies. The service, dubbed BillDirect, is being tested at one of the vendor's large clients. It's based on an upcoming upgrade of Yodlee's account-aggregation software that's focused on helping users manage their billing.

.. snip ...

Bahrain Takes Swipe Into the Future With News Smart ID Cards

From: Lynn Wheeler
Date: 8/26/2003 02:19 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Bahrain Takes Swipe Into the Future With News Smart ID Cards

http://www.informationweek.com/story/showArticle.jhtml?articleID=13900098

.. snip ...

Users will be able to pay bills, withdraw cash, transfer money check their bank balances and conduct Internet transactions with a swipe of the card, and use the same card to votes in municipal and parliamentary elections

.. snip ...

Solving the payment problem for open source and P2P file sharing

From: Lynn Wheeler
Date: 08/26/2003 02:23 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Solving the payment problem for open source and P2P file sharing

http://newsforge.com/newsforge/03/08/26/143247.shtml?tid=3

.. snip ...

Another option is to allow users to bill downloads to their cellular phones. Again, the idea is to make payment seamless, so that the consumer is focused on enjoying the art, and not the act of payment. If he's online, the user simply types in his phone number (with some additional added security to prevent unauthorized charging of downloads to a third-party account), and gets the music (with the cell phone company managing payment to the record or movie label on the back end). If he's offline but using his cell phone, I can envision Johnny sending Jane a download of Audioslave's newest "love song," routing it to her IP address for immediate download the next time she logs on to her computer.

.. snip ...

DNS inventor says cure to net identity problems is right under our nose

Refed: **, - **, - **, - **
From: Lynn Wheeler
Date: 08/27/2003 07:41 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: DNS inventor says cure to net identity problems is right under our nose
slightly related from past thread
http://www.garlic.com/~lynn/aepay11.htm#43 Mockapetris agrees w/Lynn on DNS security - (April Fool's day??)
http://www.garlic.com/~lynn/aepay11.htm#45 Mockapetris agrees w/Lynn on DNS security - (April Fool's day??)


http://www.business-standard.com/ice/story.asp?Menu=119&story=20692
DNS inventor says cure to net identity problems is right under our nose
Published : August 13, 2003

Meet Paul Mockapetris. He may not be an industry celebrity like Bill Gates, Michael Dell, Richard Stallman, Eric Raymond, or Linus Torvalds, but he should be.

Mockapetris was a key figure in the development of the Domain Name System, the Internet protocol that maps domain names like zdnet.com to IP addresses like 206.16.6.208.

.. snip ...

Tech firms band together on ID theft

From: Lynn Wheeler
Date:09/02/2003 09:12 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Tech firms band together on ID theft
http//news.com.com/2100-1019_3-5070601.html?tag=fd_top
Tech firms band together on ID theft

By Alorie Gilbert
Staff Writer, CNET News.com
September 2, 2003, 7:10 PM PT

Some of the biggest names in e-commerce, including Amazon.com, eBay and Microsoft, have formed a coalition to curb online identity theft.

The Coalition on Online Identity Theft, announced Tuesday, said it plans to launch a public education campaign and encourage its members to work more closely with law enforcement officials in an effort to fight a crime that has emerged as a major concern among politicians and consumers in recent years. The group is being organized by the Information Technology Association of America, a trade group representing the high-tech industry.

"We all agree we want to do something about this and nip this in the bud," said Greg Garcia, vice president of information security at ITAA, claiming a small percentage of identity theft cases actually begin online. Statistics show that identity theft has moved well past the bud stage to reach the level of full-blown weed infestation in recent years. The number of U.S. consumers that complained about some sort of identity theft nearly doubled to 162,000 last year, according to the Federal Trade Commission. And government figures only scratch the surface, technology analyst firm Garter said. Gartner estimates that 3.4 percent of U.S. consumers--about 7 million adults--have been victims of identity theft of some form in the past year.

.. snip ...

Federal agencies’ banking system moves online

From: Lynn Wheeler
Date: 09/02/2003 09:15 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Federal agencies’ banking system moves online

http://www.gcn.com/vol1_no1/daily-updates/23387-1.html
09/02/03
Federal agencies’ banking system moves online

By Mary Mosquera
GCN Staff

The Treasury Department’s new Internet-based cash management system, CashLink II, went into operation today for deposit reporting and bank management information.

The financial data system from Treasury’s Financial Management Service collects and manages government funds and provides deposit information to federal agencies.

This latest version of CashLink connects agencies, financial institutions, Federal Reserve banks and Treasury fund managers through an electronic network.

... snip ...

FTC Says ID Theft Greater Problem Than Originally Thought

From: Lynn Wheeler
Date: 09/03/2003 04:10 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: FTC Says ID Theft Greater Problem Than Originally Thought
as well as a couple new URLs today (followup on posting yesterday):
TheftBusters: Coalition to Combat Online ID Fraud
http://www.internetnews.com/ec-news/article.php/3071701

Tech Giants Join Forces Against ID Theft
http://itmanagement.earthweb.com/secu/article.php/3071761

and the FTC ref:
http://dc.internet.com/news/article.php/3072091
September 3, 2003
FTC Says ID Theft Greater Problem Than Originally Thought
By Roy Mark

WASHINGTON -- Identity theft is an even greater problem than initially thought by federal officials, but Internet sites that collect personal information are not a significant contributing factor, according to a new report released Wednesday by the Federal Trade Commission (FTC).


.. snip ...

some X9.59 (and little FSTC) ... from crypto mailing list ... fyi

From: Lynn Wheeler
Date: 09/09/2003 01:19 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: some X9.59 (and little FSTC) ... from crypto mailing list ... fyi
Basically leading up to this discussion was the use of SSL on the internet .... and was its predominant use for securing credit card transactions. Some of the early history (as referenced background threads leading up to this one) was SSL for the complete shopping experience (and somewhat got cut back to just credit card because there was about a factor of five difference between number of SSL sessions and the number of non-SSL sessions that could be supported by the same webserver hardware).

Subject of X9.59 in crypto mailing list:
http://www.garlic.com/~lynn/aadsm15.htm#6 X9.59

background posts leading up
http://www.garlic.com/~lynn/aadsm15.htm#0 invoicing with PKI
http://www.garlic.com/~lynn/aadsm15.htm#2 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm15.htm#3 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm15.htm#4 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm15.htm#5 Is cryptography where security took the wrong branch?

Police smash UK's biggest credit card fraud ring

From: Lynn Wheeler
Date: 09/09/2003 02:42 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Police smash UK's biggest credit card fraud ring
the initial "847" seems a little inconsistent 2m to 20m in fraud ... maybe it was 8 thousand or 80 thousand ... not 847

http://www.theregister.co.uk/content/55/32704.html
Police smash UK's biggest credit card fraud ring
By Drew Cullen
Posted: 08/09/2003 at 13:14 GMT

Three men are facing long jail sentences after pleading guilty, Friday (Sept. 5) to running the UK's biggest ever credit card fraud at Middlesex Guildhall Crown Court.

The trio stole details of 847 cards of Heathrow Express rail passengers who had paid for their journey by credit cards. They passed on the infor a gang of forgers who cloned 8,790 credit cards for use in the UK and on the Continent. The cloners were able to use only 10 per cent of the numbers, pocketing £2m for the gang. Police estimate that the gang could have gained £20m if all the credit card numbers had been used.

... snip ...

More on the ID theft saga

Refed: **, - **, - **
From: Lynn Wheeler
Date: 09/09/2003 03:17 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: More on the ID theft saga
At least part of this breaks out account fraud numbers (primarily credit card fraud) separate from other kinds of ID theft fraud

ID theft hits 10m Americans a year
http://www.theregister.co.uk/content/55/32688.html

Database gaps make ID fraud easier, GAO says
http://www.gcn.com/vol1_no1/daily-updates/23446-1.html

FTC Release Survey of Identity Theft in US
http://www.ftc.gov/opa/2003/09/idtheft.htm

Cyber Security In The Financial Services Sector

From: Lynn Wheeler
Date: 09/10/2003 03:55 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Cyber Security In The Financial Services Sector

http://www.imn.org/2003/a555/
... from above:
Attend the Largest Gathering of FiServ InfoSec executives on Wall Street!! IMN's SECOND ANNUAL CYBER SECURITY IN THE FINANCIAL SERVICES SECTOR EXECUTIVE SUMMIT. October 9-10, 2003, Puck Building, N.Y.C. Over 25 cutting edge solution provider demos... ISS, VeriSign, Symantec and many more... Participating companies include Bank of NY; Bear Stearns; BNP Paribas; Chicago Board of Trade; Citibank; Credit Lyonnais; Credit Suisse; Deutsche Bank; Fleet Boston; ING; JP Morgan Chase; Morgan Stanley; Prudential; Raymond James; US Treasury; The World Bank and many more. What you will learn Latest regulations and policies Learn the latest in Cyber threats Viruses, Worms, and System Intrusions System Vulnerabilities & Weaknesses Security Valuation & Budgets Outsourcing Wall Street - Governmental Partnership and much more
home page:
http://www.imn.org/

-------------------------------------------------------------------
... also recent report on Financial Critical Infrastructure

Despite Notable Security Advances, Financial Sector Still Vulnerable
http://www.dartmouth.edu/%7Enews/releases/2003/09/10a.html

Survey and Analysis of Security Issues in the U.S. Banking and Finance Sector
http://www.ists.dartmouth.edu/ISTS/ists_docs/secfin0903.htm

full report:
http://www.ists.dartmouth.edu/ISTS/ists_docs/secfin0903.pdf

Bank One Calls Attention to ID Theft

From: Lynn Wheeler
Date: 09/16/2003 07:44 PM
To: epay@xxxxxxxx
Subject: Bank One Calls Attention to ID Theft
http://www.internetnews.com/ec-news/article.php/3078191
September 16, 2003
Bank One Calls Attention to ID Theft
By Mark Berniker

Bank One is partnering with the US Postal Inspection Service and other government entities for a new national crime prevention campaign to raise awareness among business and consumers facing the specter of identity theft. "Today's initiative is a coming of together of a number initiatives concerning the growing problem of identity theft," said Chris Conrad, senior vice president of fraud management for Bank One.

Conrad told internetnews.com more than three million brochures will be mailed to individuals in areas of the country where identity theft has been most prevalent.

... snip ...

A Uniform Resource Name (URN) Namespace for SWIFT Financnail Messaging

From: Lynn Wheeler
Date: 09/18/2003 02:34 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: A Uniform Resource Name (URN) Namespace for SWIFT Financnail Messaging
RFC 3615

Title: A Uniform Resource Name (URN) Namespace for SWIFT
Financial Messaging
Author(s): J. Gustin, A. Goyens
Status: Informational
Date: September 2003
Mailbox: jean-marc.gustin@xxxxxxxx, andre.goyens@xxxxxxxx
Pages: 5
Characters: 7352
Updates/Obsoletes/SeeAlso: None

I-D Tag: draft-gustin-goyens-urn-id-02.txt

URL: ftp://ftp.rfc-editor.org/in-notes/rfc3615.txt

This document describes a Uniform Resource Name (URN) namespace that
is managed by SWIFT for usage within messages standardized by SWIFT.


Carnegie Mellon to host first US-based intl'l conference on electronic commerce

From: Lynn Wheeler
Date: 09/18/2003 06:37 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Carnegie Mellon to host first US-based intl'l conference on electronic commerce
http://www.eurekalert.org/pub_releases/2003-09/cmu-cmt091803.php
Carnegie Mellon to host first U.S.-based int'l conference on electronic commerce

PITTSBURGH--Carnegie Mellon University will host the Fifth International Conference on Electronic Commerce (ICEC) Sept. 30 - Oct. 3 at the Hilton Hotel in downtown Pittsburgh. It is the first time this leading eBusiness research conference is being held in the United States.

"ICEC provides an interdisciplinary forum where researchers and practitioners can come together, present their latest findings, and engage in discussions aimed at charting the future of this fascinating and ever expanding area," said conference general chairman Norman M. Sadeh, associate professor of computer science at Carnegie Mellon.

"Despite the doom and gloom of the post-bubble years," he said, "e-Business innovation has not stopped. Adoption of electronic business practices are continuing to rise and, with annual worldwide transaction volumes poised to pass the trillion-dollar mark, it is clear that e-Business is here to stay."

Sadeh cited the emergence of Web services, the mobile Internet, agent technologies, wireless computing, automated trading and negotiation techniques and P2P as just a few examples of technologies spawned by this new way of doing business. Unlike more specialized conferences, ICEC2003 will include tracks in technology, management, and law and policy.

Keynote speakers include:

Glen Meakem, founder and chairman of Pittsburgh-based Freemarkets, Inc. speaking on the Global Supply Management Revolution;
Jeffrey B. Ritter, partner, Kirkpatrick and Lockhart, LLP, speaking on Defining Systems Law;
James A. Hendler, professor of computer science, University of Maryland, speaking on Dynamic Service Choreography on the Web.
David J. Farber, Carnegie Mellon distinguished career professor of computer science and public policy, speaking on Digital Rights Management: Nightmare or Blessing.

The conference will also feature paper presentations and panels, including a plenary panel discussion on Next Generation Search Infrastructure for e-Commerce, chaired by Carnegie Mellon Computer Science Professor Jaime Carbonell, a panel on the ML Rule Initiative, chaired by Said Tabet, and a third on The New Supply Chain Trading Agent Competition, chaired by North Carolina State University Assistant Professor Peter Wurman.

For more details on ICEC2003, see: http://www.icec03.org


Caching In With E-Payments

From: Lynn Wheeler
Date: 09/18/2003 06:38 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Cashing In With E-Payments

http://www.techweb.com/tech/ebiz/20030918_ebiz
Cashing In With E-Payments

By Don St. John

Like everything else in the Internet era, the hype preceded the reality. But as with so many other sectors plodding along regardless of bubble or burst, e-payments both at the business-to-business and consumer levels are slowly but steadily taking hold as everyone becomes used to the idea.

... snip ...

ID Theft Often Goes Unrecognized

From: Lynn Wheeler
Date: 09/24/2003 07:43 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: ID Theft Often Goes Unrecognized
http://www.internetnews.com/ec-news/article.php/3081881
September 24, 2003 Study: ID Theft Often Goes Unrecognized By Mark Berniker

The theft of personal information has become an immense problem particularly for individuals and companies. A new study claims that many financial institutions are frequently mistaking credit losses, not aware that identity theft is rampantly taking place.

ID Analytics Inc., performed the identity theft study, which involved a number of major companies, including Citibank (Quote, Chart), Dell Computer (Quote, Chart) and Bank of America (Quote, Chart).

In the study of 200 million new credit cards, checking account and cell phone accounts that were opened in 2001, seven out of eight identity thefts were incorrectly categorized as simple credit losses by lenders.


..snip..

End of the line for Ireland's dotcom star

From: Lynn Wheeler
Date: 09/24/2003 10:07 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: End of the line for Ireland's dotcom star
part of thread on subject in cryptography mailing list:
http://www.garlic.com/~lynn/aadsm15.htm#16 End of the line for Ireland's dotcom star

also:
http://theregister.co.uk/content/55/32954.html Baltimore sells 'crown jewels'

..

http://www.guardian.co.uk/print/0,3858,4759214-103676,00.html
End of the line for Ireland's dotcom star
Software firm saw boom and bust; now the core business is sold

Geoff Gibbs
Tuesday September 23, 2003
The Guardian

Baltimore Technologies, the Irish software concern whose spectacular rise and fall epitomised the boom and bust of the dotcom era, reduced itself to little more than a cash shell yesterday by selling off the core business on which its fortunes were founded.

The internet security company, which failed to find a buyer after putting itself up for sale this year, said it was selling its loss-making public key infrastructure, or PKI, operation to the American-controlled business beTRUSTed for 5m.

... snip ...

Internet Fraud & Attacks on the rise

From: Lynn Wheeler
Date: 10/14/2003 12:33 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Internet Fraud & Attacks on the rise.
Study: Internet fraud and attacks rise in tandem
The number of security incidents almost doubled between May and August of this year
http://www.computerworld.com/securitytopics/security/story/0,10801,86025,00.html?SKC=security-86025

... snip ...

Verisign sees Internet fraud and attacks rise in tandem
Almost one in 16 transactions are attempts at fraud, company estimates
http://www.infoworld.com/article/03/10/14/HNfraud_1.html

... snip ...

Microsoft, Sterling Aid SWIFT Users

From: Lynn Wheeler
Date: 10/20/2003 08:30 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Microsoft, Sterling Aid SWIFT Users
http://www.eweek.com/article2/0,4149,1358167,00.asp
Microsoft, Sterling Aid SWIFT Users
ByRenee Boucher Ferguson
October 20, 2003

Microsoft Corp. and Sterling Commerce Inc. both are offering banks and financial services companies new connectivity and messaging options when using the Society for Worldwide Interbank Financial Telecommunications' SWIFTNet network.

Microsoft, at the Sibos 2003 conference in Singapore on Monday, announced its BizTalk Accelerator for SWIFT, which provides integration with legacy systems through a fairly comprehensive set of connectivity interfaces. The new Accelerator supports both FIN, SWIFT's X.25-based store-and-forward financial messaging service, and XML-based SWIFT messaging.


... snip ...

Retail wireless security: a few considerations

From: Lynn Wheeler
Date: 10/21/2003 08:56 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Retail wireless security: a few considerations

http://www.computeruser.com/articles/daily/8,10,1,1020,03.html
October 20, 2003
Retail wireless security: a few considerations
Wireless computing can make your retail operation run more smoothly and quickly.
By Ben Bradley

Retailers worldwide are making the move to wireless computing, both for the flexibility it brings to in-store operations and the speed it adds to business processes. Mobile platforms and wireless networks allow retailers to complete transactions and authorizations while collecting data from any location, at any time, with a variety of devices. The information gathered from these wireless devices allows retail managers at all levels to know sooner, decide smarter, and respond faster when it comes to market opportunities and changing customer preference. Today's independent retailers are facing increased competition from not only from their brick-and-mortar competitors, but also from online services.


... snip ...

Citibank customers hit with e-mail scam

From: Lynn Wheeler
Date: 10/25/2003 08:43 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Citibank customers hit with e-mail scam
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,86453,00.html
Citibank customers hit with e-mail scam
The spoofed bank site is actually hosted by a company in Moscow
Story by Linda Rosencrance

OCTOBER 24, 2003 ( COMPUTERWORLD ) - Citibank customers are being targeted by scam artists trying to get their confidential bank card numbers. The scam is perpetrated via an e-mail that includes a link that apparently directs users to a Citibank Web site, where they are greeted with a pop-up box asking them for their full debit card numbers, their personal identification numbers (PIN) and their expiration dates.

... snip ...

DNS, yet again

Refed: **, - **, - **
From: Lynn Wheeler
Date: 10/25/2003 08:54 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: DNS, yet again
slightly related past reference:
http://www.garlic.com/~lynn/aepay11.htm#43 Mockapetris agrees w/Lynn on DNS security - (April Fool's day??)
http://www.garlic.com/~lynn/aepay11.htm#45 Mockapetris agrees w/Lynn on DNS security - (April Fool's day??)

and some more recent threads:
http://www.garlic.com/~lynn/aadsm15.htm#4 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm15.htm#7 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm15.htm#8 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm15.htm#9 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm15.htm#10 Is cryptography where security took the wrong branch?
http://www.garlic.com/~lynn/aadsm15.htm#11 Resolving an identifier into a meaning
http://www.garlic.com/~lynn/aadsm15.htm#14 Resolving an identifier into a meaning
http://www.garlic.com/~lynn/aadsm15.htm#25 WYTM?
http://www.garlic.com/~lynn/aadsm15.htm#26 SSL, client certs, and MITM (was WYTM?)
http://www.garlic.com/~lynn/aadsm15.htm#27 SSL, client certs, and MITM (was WYTM?)
http://www.garlic.com/~lynn/aadsm15.htm#28 SSL, client certs, and MITM (was WYTM?)
http://www.garlic.com/~lynn/aadsm15.htm#29 SSL, client certs, and MITM (was WYTM?)

http://www.computerworld.com/securitytopics/security/story/0,10801,86457,00.html?SKC=security-86457
Q&A: DNS inventor Paul Mockapetris on Internet security
The critical DNS system is more robust at the top, he said
Story by Jaikumar Vijayan

OCTOBER 24, 2003 ( COMPUTERWORLD ) - Paul Mockapetris invented the Internet's core Domain Name System (DNS), which is a highly distributed hierarchical database that translates Web names into Internet Protocol addresses, and vice versa. Without it, the Internet as it's structured today wouldn't work. In an interview this week with Computerworld, he talked about the state of the DNS a year after the first distributed denial-of-service attack on the system (see story).

Why is DNS security such a concern? There was a cybersecurity report that came out of the U.S. government that said the two biggest security issues were DNS and BGP [Border Gateway Protocol]. Part of it is that this is just the place where an attacker has the most leverage. ... If you can get to control either the traffic lights or change the street signs, you can create chaos on the road system.


... snip ...

x959 Postings and Posting Index, previous - home