On Tuesday, Jun 3, 2003, at 18:15 US/Eastern, Bill Frantz wrote:
At 2:21 PM -0700 6/3/03, Jeroen C. van Gelderen wrote:Perhaps that measure is too coarse grained. For instance, in the domain
of "security advisories" most emails are digitally signed with OpenPGP.
And in the domain of online credit card payments HTTPS has displaced
HTTP.
I know of one system that takes credit cards over HTTPS, and then sends the
credit card number, encrypted with GPG to a backend system for processing.
It isn't perfect, but it's better than storing the credit card number on a
database accessible to the web server. (I would feel a lot better if
Amazon didn't remember my credit card number.)
I noticed this the other day whilst buying something at Amazon: allegedly, Amazon doesn't store your CC number in a network readable database:
http://www.amazon.com/exec/obidos/tg/browse/-/518224/002-9740615-3944845
"To provide you with an additional layer of security, all credit card numbers provided to Amazon.com are stored on a computer that is not connected to the Internet. After you type or call it in, your complete credit card number is transferred to this secure machine across a proprietary one-way interface. This computer is not accessible by network or modem, and the number is not stored anywhere else."
Now I'm not sure how they get to use the number during the billing process but hey... :)
I don't know if I'd feel much better if Amazon didn't have my CC on file. The danger of a disgruntled sysadmin snarfing the numbers while they pass trough the system for one time use during a single billing cycle seems to real for me.
-J -- Jeroen C. van Gelderen - [EMAIL PROTECTED]
War prosperity is like the prosperity that an earthquake or a plague brings. The earthquake means good business for construction workers, and cholera improves the business of physicians, pharmacists, and undertakers; but no one has for that reason yet sought to celebrate earthquakes and cholera as stimulators of the productive forces in the general interest. -- Ludwig von Mises
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
