Ben, > Ian Grigg wrote: >> It should be obvious. But it's not. A few billions >> of investment in smart cards says that it is anything >> but obvious. > > That assumes that the goal of smartcards is to increase security instead > of to decrease liability.
On whether the goal of smart cards is to reduce liability: a) Not with any systems I was familiar: the major Dutch systems were defensive, oriented to filling the space that was potentially threatened by other parties. The trials were goaled to increase security, which they did not by using smart cards, but by eliminating cash, which had created an unacceptable risk of serious theft in unattended petrol stations. The same happened with UK phone cards... I'm unfamiliar with Mondex or the Belgium/ Proton based motives, but their structures indicate that liability was not a question uppermost on their minds. b) Liability reduction cannot be a goal. If it was, then one could achieve the goal completely - eliminate liability - by not doing the project. Instead, liability and/or reduction of same is a _limitation_ on the goal of the system. c) Whether liability reduction entered into any smart card system as a limitation on their goals is a little uncertain. I would say no, as all the systems were early stage in the institutional model; in which case there was little or no liability. Instead, the only drivers in that vague area would have been future running costs reduction, which would have included well considered security models, and partially considered user support models, to reduce over all costs. Including all forms of risks, of course. d) Liability reduction generally comes into play when a system is mature and/or regulatory issues come into play. That is, liability reduction is something often seen when the desire is to avoid surprises, and to avoid any costs cropping up that weren't well built into the costs model. I.e., the risk models used by credit card operators are one example, and the customer agreement models (or whatever they are called) used by CAs are another example of liability reduction. e) Perversely, banks practice liability increase as well as reduction. In fact, a pure banking model is about the risk of a loan, and they specialise in measuring and managing the risk of that loan. But, as we are talking about payment systems, and loans are banking, and banking is not payment systems, that would be a change in business, so out of scope of the original topic. f) And, of course, all institutions will practice liability increase if they can turn it into a barrier to entry, that is, cartelise the industry so as to block new entrants. See the eMoney directive for the European barrier to entry, which was effectively coordinated by the Bundesbank on behalf of the banks, and resulted in the "like a bank, but not a bank, and as costly as a bank" approach to digital cash. All of which might or might not hit the target of liability as you wrote it? iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]