hi ( 05.02.07 16:04 -0500 ) Greg London: > I'll buy pizza for a perlmonger meeting if I can get a > definite yes/no answer on these questions.
> > could the site give him a tracking number / one-time password > > so he could check the status of his order and report a problem? yes > > Would it be possible to do this in a secure manner? yes [return tracking code over SSL, tracking code is probably a hash of some order related data + nonce] > > Would it be a secure transaction? define 'secure'- what is your threat model? > > Would it be any less secure than having the user > > set up an account and their own password? yes, more prone to spoofing since it's only one piece of info [trakcing number] instead of 2 [username/pw]. so if you can get back to me on what you mean by 'secure transaction' we may be in business. -- \js oblique strategy: you don't have to be ashamed of using your own ideas _______________________________________________ Boston-pm mailing list Boston-pm@mail.pm.org http://mail.pm.org/mailman/listinfo/boston-pm