On Wed, Oct 22, 2003 at 05:08:32PM -0400, Tom Otvos wrote: > > > > So what purpose would client certificates address? Almost all of the use > > of SSL domain name certs is to hide a credit card number when a consumer > > is buying something. There is no requirement for the merchant to > > identify and/or authenticate the client .... the payment infrastructure > > authenticates the financial transaction and the server is concerned > > primarily with getting paid (which comes from the financial institution) > > not who the client is. > > > > The CC number is clearly not hidden if there is a MITM.
Can you please posit an *exact* situation in which a man-in-the-middle could steal the client's credit card number even in the presence of a valid server certificate? Can you please explain *exactly* how using a client-side certificate rather than some other form of client authentication would prevent this? Thor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
