l...@garlic.com (Anne & Lynn Wheeler) writes: > Later two of the Oracle people in the Ellison meeting have left and are > at a small client/server startup responsible for something called > "commerce server" and we are brought in as consultants because they want > to do payment transactions on the server, the startup had also invented > this technology they call "SSL" they want to use, the result is now > fequently called "electronic commerce".
other topic drift ... somewhat for having done "electronic commerce" ... got asked into the X9A10 working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments (point-of-sale, internet, ach, credit, debit, aka *ALL*) after detailed end-to-end vulernability studies ... came up with the X9.59 standard that eliminated the need to hide (encrypt) the account &/or credit card number (as countermeasure to fraud) ... this also eliminated the major use of SSL, hiding (encrypting) the account &/or credit card number for data in transit (but didn't do anything for data at the endpoints and data "at reast"). we used a couple examples account/credit number dual use, both authentication and business processes. for authentication it needs to be kept completely confidential and never divulged ... at the same time it is needed in dozen of business processes at millions of locations around the world. security proporational to risk, value of the transaction information for merchant is profit on the transactions, possibly a couple dollars ... and for transaction processor possibly a couple cents. While value to the crook is the account balance and/or credit limit ... crooks can afford to spend attacking the system 100 times more than merchant can afford to spend defending. x9.59 eliminated account/credit number for authentication and only used it for business processes ... so it was no longer necessary to hide/encrypt the number. the problem was that x9.59 represented major disruption to the status quo, it effectively would have eliminated much of the existing fraud, commoditizing the payment industry ... and theoritically threatened the tens of billions that are made each year off electronic payments. -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN