Lynn Wheeler wrote:
>> In fact they sometimes do but here you have to hold your horses; >> this certificate has nothing to do with CCs, it is a login/signature >> solution for the customer to the bank. This PKI is typically >> in-house while the 3D secure is CC-branded as otherwise merchants >> would not recognize CC-branded banks. >so the consumer doesn't need a PKI public key when they are dealing >with their own bank ... they could just record a certificateless >public key Absolutely! However, there is no infrastructure in place for that. Another reason for the PKI solution is that the financial sector (which you always refer to) has turned out to be the only remaining survivor on the client certificate market here not counting low-value e-mal certs. The market is mainly consisting of governments who desperately need to reduce costs for adminstration. It is hard to see that anything but a 1-to-many ID TTP solution would fit that scenario. But this PKI is usually based on contracts so it fits your view on how a CA should operate. I believe both banks and governments should go to an open subsriber-based model as it will long-term be most profitable/cheapest. That is, CA liability is IMHO an overrated issue. By having banks use their own stuff, they have all the reasons for doing the right thing. Assume you are losing your ID on the wrong side of the globe. How would anybody but the financial sector be able to handle this? VeriSign? Not a chance. Anders _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
