good point. Many institutions now warehouse retail payment requests/authorization, and clear and settle them through the network the provides the best risk/return to them.
michael versace :: niteo partners, inc national director, financial services 321 summer street boston ma 02210 www.niteo.com [EMAIL PROTECTED] 617-895-3042 (o) 617-794-0425 (m) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, June 29, 2003 2:51 PM To: Versace, Michael Cc: [EMAIL PROTECTED] Subject: Re: Confusing business process, payment, authentication and identification I would not try to build a single system that could handle value transfers for regular business use and for government payments. The major reason is the legal liability. Business contracts typically involve civil penalties. Government mandates, and our responses to them, typically involve criminal penalties. In the business case identity is seldom necessary for transactions that do not involve real-estate. In fact the increasing concern for privacy somewhat mandates that user's can limit the data transfered about themselves. This is where account-based transactions should be targeted. In the government case identity is nearly always required by law or regulation, and privacy is typically not available. I believe that payments from purchasers to merchants is the problem that we have some chance of solving here. Government payments will be mandated and will probably not be designed for any of the purposes that business desires. Let's focus on what we can effect. just my $.02. ..tom > > as in previous posts ... there would seem to be two ways that legal > obligations are created, > > 1) contracts > 2) gov. regulations > > for the most part, value exchange can occur to help fund a business > operation (aka can a TTP CA operate on no funds and no revnue?, salaries, > electricity, communication, etc): > > 1) by value exchange (ala some reason for an entity to purchase a > certificate, either because they see some benefit or because it is mandated > by the government) > 2) government subsidies > 3) industry subsidies > > we had a little bit of experience relaed to TTP CAs in support of SSL > trusting webservers and the whole thing is the client really talking to the > merchant that they think they are talking to. Originally it was thot to be > in use generally for e-commerce .... but possibly somewhat because of the > expense of the operation it was reduced more & more to just secrecy hiding > of credit card numbers. slight reference > http://www.garlic.com/~lynn/aadsm5.htm#asrn2 > http://www.garlic.com/~lynn/aadsm5.htm#asrn3 > > it has now been nine years since we started the work on the above ... as > well as some detailed investigation (dilligence) of the prominent TTP CAs > at the time (operationally and business). > > The stale, static certificates were being doing done to certify the domain > name of the webserver that the client was talking to. There was no real PKI > .... which is the reason we coined the term "certificate manufactoring" (as > an aid in distinquishing it from real PKI). > > or is the idea that every ten years .... we hold a party to decide that > PKIs haven't found a purpose in life yet ... and we decide to again take a > new look 3-5 years from now to again see what really happened. > > so, we actually have a past comparison of drivers license. For a long time > the drivers license was used in an offline world. You get stopped, the > officer looks at the drivers license, and then either writes a ticket or > doesn't write a ticket. Traditional TTP CA stale, static certificate > offline paradigm. Currently, if would appear that there has been a major > transition to the online world for anything of value. The number off the > driver's license is used to perform an online transaction which can bring > up real-time and aggregated information, including image and physical > description. > > The assertion was never that stale, static certificates were totally > useless. The assertion was that statle, static certificates were better > than nothing in an offline evironment. In the transition to a ubiquitous, > online connectivity, the issue becomes a value trade-off of having direct, > realtime, online access to the real information .... or relying on a a > stale, static copy of the real information that was manufactored at some > point in the past. > > The issues aren't payment; the issues are offline vis-a-vis online and the > importance or value of having or not having the informatioin. > > The assertion is in an offline world, that a stale, static certificate is > possibly viewed as better than having no information. > > The assertion that something of value is involved, or it wouldn't even be a > consideration that "something better than nothing" is required. If nothing > of value was involved, then it would be possible to get by w/o having > either online access or a stale, static certificate copy of the online > information. > > The assertion is that it becames a value trade-off, the better quality > information of online, real-time, and/or aggregated information against the > poorer quality of stale, static information manufactored at some time in > the past vis-a-vis the incremental cost of online. > > The assertion is that the payment industry made the trade-off decision in > the early '70s that the higher quality online, real-time, aggregated > information more than justified the online access. > > The assertion is that the ubiquitous and pervasive deployment of online > world is drastically narrowing the market segment for stale, static offline > world. > > It IS NOT a question of payment vis-a-vis other infrastructures. it is > purely a question does the value of the operation justify the incremental > cost of online. As the pervasiveness of online spreads and the costs > continue to decline, the market niche for offline gets smaller and smaller. > > It IS NOT a question of payment vis-a-vis other infrastructures. Right now > today, transit is almost totally offline, the assertion is that because the > value of the individual transactions, the timing constraints at transit > turnstyles, and the relative cost of online create a market segment for > low-valued payment to still be an offline operation. There is assertion > that declining costs of online will erode this market segment as an offline > infrastructure. > > It isn't payment vis-a-vis other stuff; it is purely value of the > operation, increased beneift of online, realtime, aggregated vis-a-vis > offline, stale, static, and costs of online vis-a-vis offline. > > past threads on drivers license and/or aggregated information > http://www.garlic.com/~lynn/aadsm11.htm#39 ALARMED ... Only Mostly Dead ... > RIP PKI .. addenda > http://www.garlic.com/~lynn/aadsm11.htm#40 ALARMED ... Only Mostly Dead ... > RIP PKI ... part II > http://www.garlic.com/~lynn/aadsm12.htm#26 I-D > ACTION:draft-ietf-pkix-usergroup-01.txt > http://www.garlic.com/~lynn/aadsm12.htm#27 Employee Certificates - Security > Issues > http://www.garlic.com/~lynn/aadsm12.htm#32 Employee Certificates - Security > Issues > http://www.garlic.com/~lynn/aadsm12.htm#52 First Data Unit Says It's > Untangling Authentication > http://www.garlic.com/~lynn/aadsm13.htm#2 OCSP value proposition > http://www.garlic.com/~lynn/aadsm13.htm#3 OCSP and LDAP > http://www.garlic.com/~lynn/aadsm13.htm#4 OCSP and LDAP > http://www.garlic.com/~lynn/aadsm13.htm#5 OCSP and LDAP > http://www.garlic.com/~lynn/aadsm13.htm#20 surrogate/agent addenda (long) > http://www.garlic.com/~lynn/aadsm14.htm#17 Payments as an answer to spam > (addenda) > http://www.garlic.com/~lynn/aadsm14.htm#20 Payments as an answer to spam > (addenda) > http://www.garlic.com/~lynn/aepay10.htm#73 Invisible Ink, E-signatures slow > to broadly catch on > http://www.garlic.com/~lynn/aepay10.htm#74 Invisible Ink, E-signatures slow > to broadly catch on (addenda) > http://www.garlic.com/~lynn/aepay10.htm#75 Invisible Ink, E-signatures slow > to broadly catch on (addenda) > http://www.garlic.com/~lynn/aepay11.htm#68 Confusing Authentication and > Identiification? > http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing > Authentication and Identiification? (addenda) > http://www.garlic.com/~lynn/96.html#17 middle layer > http://www.garlic.com/~lynn/98.html#41 AADS, X9.59, & privacy > http://www.garlic.com/~lynn/99.html#238 Attacks on a PKI > http://www.garlic.com/~lynn/2000.html#86 Ux's good points. > http://www.garlic.com/~lynn/2000e.html#39 I'll Be! Al Gore DID Invent the > Internet After All ! NOT > http://www.garlic.com/~lynn/2001.html#67 future trends in asymmetric > cryptography > http://www.garlic.com/~lynn/2001e.html#76 Stoopidest Hardware Repair Call? > http://www.garlic.com/~lynn/2001f.html#77 FREE X.509 Certificates > http://www.garlic.com/~lynn/2001m.html#4 Smart Card vs. Magnetic Strip > Market > http://www.garlic.com/~lynn/2001n.html#56 Certificate Authentication Issues > in IE and Verisign > http://www.garlic.com/~lynn/2002h.html#27 Why are Mainframe Computers > really still in use at all? > http://www.garlic.com/~lynn/2002m.html#20 A new e-commerce security > proposal > > -- > Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm > > [EMAIL PROTECTED] on 6/29/2003 1:45 am wrote: > > Lynn! > Before wasting too much list bandwidth, lets conclude that the TTP CA > business and legal models are still to be determined by establishing > practices. > Not a single case have to my knowledge reached a court yet so [all] this > is just "theory", "habits", and "speculation", albeit rather interesting > such :-) > > The following lines show that TTP CAs may have a long way to go: > > "In a simple TTP CA stale, static certificate model, without a business > relationship between the merchant and the consumer's TTP CA , > no business relationship has been created between the consumer's > TTP CA and the merchant. Therefor there is no grounds to sue." > > An odd thing is that a major reason Identrus use a four-corner model is > to have the relying party sign a contract freeing Identrus from liability! > I.e. this is like accepting a typical US SW contract which says "AS IS", > "NOT FIT FOR MISSION-CRITICAL USE", etc. > > Without having RP-contracts TPP CAs are (they claim so at least), > potentially > liable for whatever bad things the consumer does. I'm not the one to > tell if this is wrong or not. Frankly, I don't _anybody_ with certainty > can claim that something is right or wrong based on no practical > experience at all, as this kind of TTP activity (unlike payments), > is totally different from anything else we know. Drivers' licenses or > passports are not comparable in any way as there is no physical > appearance supporting the identification process. > > Lets take a new look in 3-5 years from now and see "what really happened". > > It will be a truly Darwinian process.... > > Anders > > > To remove yourself from this list send a message Unsubscribe to > [EMAIL PROTECTED] To remove yourself from this list send a message Unsubscribe to [EMAIL PROTECTED]
