[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
>Regarding cyber-world misconceptions, some think that by escaping
>names one can escape reality. Others think that credit-cards deals
>would not need names or any real-life id, just assets. Surely, the
>merchant gets paid regardless, even if you use a false name.
This is, after all, what matters to the merchant.
>But this is not the end of id fraud. The bank still goes after the
>money...and uses the law against fraudulent practices to enforce the
>cardholder agreement, or criminal statues.
The bank wants to catch the person who made the fraudulent transaction. The name on the card is not likely to help them do that.
>If Mr. X uses his wife's
>credit-card, Mr. X is technically committing id fraud, and
>wire-fraud.
If he does this with Mrs. X's permission, nobody cares. The merchant gets paid from Mrs. X's account. Mrs. X does not scream "fraud" to her credit card company.
Mr. X would have to be exceptionally stupid to commit card fraud with his wife's card. The *merchant* doesn't know who the card belongs to, but the card issuer does.
Ian.
From ???@??? Sun Jul 26 14:01:38 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id KAA04244
for <cme@clark.net>; Sun, 26 Jul 1998 10:24:09 -0400 (EDT)
Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by mail.acm.org (8.8.5/8.7.5) with SMTP id KAA37146 for <cme@acm.org>; Sun, 26 Jul 1998 10:15:11 -0400
Received: from thames.cs.ucl.ac.uk by bells.cs.ucl.ac.uk with local SMTP
id <g.11094-0@bells.cs.ucl.ac.uk>; Sun, 26 Jul 1998 15:22:13 +0100
Received: from uymfdlvk (actually userh419.uk.uudial.com)
by thames.cs.ucl.ac.uk with SMTP (PP);
Sun, 26 Jul 1998 15:22:07 +0100
Message-ID: <00a401bdb8a0$c3173c80$995895c1@uymfdlvk>
From: Ian Brown <I.Brown@cs.ucl.ac.uk>
To: Ed Gerck <egerck@laser.cps.softex.br>
Cc: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>,
"'Carl Ellison '" <cme@acm.org>, spki <spki@c2.net>
Subject: Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
Date: Sun, 26 Jul 1998 15:18:32 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.2106.4
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ice.clark.net id KAA04244
Status:
>Regarding cyber-world misconceptions, some think that by escaping
>names one can escape reality. Others think that credit-cards deals
>would not need names or any real-life id, just assets. Surely, the
>merchant gets paid regardless, even if you use a false name.
This is, after all, what matters to the merchant.
>But this is not the end of id fraud. The bank still goes after the
>money...and uses the law against fraudulent practices to enforce the
>cardholder agreement, or criminal statues.
The bank wants to catch the person who made the fraudulent transaction. The name on the card is not likely to help them do that.
>If Mr. X uses his wife's
>credit-card, Mr. X is technically committing id fraud, and
>wire-fraud.
If he does this with Mrs. X's permission, nobody cares. The merchant gets paid from Mrs. X's account. Mrs. X does not scream "fraud" to her credit card company.
Mr. X would have to be exceptionally stupid to commit card fraud with his wife's card. The *merchant* doesn't know who the card belongs to, but the card issuer does.
Ian.
From ???@??? Wed Aug 12 19:18:16 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id OAA04319
for <cme@clark.net>; Sun, 26 Jul 1998 14:57:42 -0400 (EDT)
Received: from blacklodge.c2.net (blacklodge.c2.net [208.139.36.35]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id OAA19330; Sun, 26 Jul 1998 14:48:43 -0400
Received: (from majordom@localhost) by blacklodge.c2.net (8.8.8/8.7.3) id LAA15517 for spki-outgoing; Sun, 26 Jul 1998 11:46:11 -0700 (PDT)
X-Authentication-Warning: blacklodge.c2.net: majordom set sender to owner-spki@c2.org using -f
Message-Id: <199807261845.OAA03220@jekyll.piermont.com>
To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
cc: "'Carl Ellison '" <cme@acm.org>, "''spki@c2.net' '" <spki@c2.net>
Subject: Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
In-reply-to: Your message of "Sun, 26 Jul 1998 08:07:52 +1000."
<D1A949D4508DD1119C8100400533BEDC06074C@DSG1>
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Sun, 26 Jul 1998 14:45:55 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: owner-spki@c2.net
Precedence: bulk
Status: O
Alan Lloyd writes:
> Carl and the list FYI
Alan;
Might I suggest that SPKI is not for you and that, rather than getting
angry with it, you might simply want to not participate? There is
nothing wrong with agreeing to disagree and simply moving on...
Perry
From ???@??? Wed Aug 12 19:18:14 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id OAA02228
for <cme@clark.net>; Sun, 26 Jul 1998 14:47:18 -0400 (EDT)
Received: from jekyll.piermont.com (jekyll.piermont.com [206.1.51.15]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id OAA07708 for <cme@acm.org>; Sun, 26 Jul 1998 14:38:19 -0400
Received: from jekyll.piermont.com (localhost [[UNIX: localhost]]) by jekyll.piermont.com (8.8.8/8.6.12) with ESMTP id OAA03220; Sun, 26 Jul 1998 14:45:55 -0400 (EDT)
Message-Id: <199807261845.OAA03220@jekyll.piermont.com>
To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
cc: "'Carl Ellison '" <cme@acm.org>, "''spki@c2.net' '" <spki@c2.net>
Subject: Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
In-reply-to: Your message of "Sun, 26 Jul 1998 08:07:52 +1000."
<D1A949D4508DD1119C8100400533BEDC06074C@DSG1>
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Sun, 26 Jul 1998 14:45:55 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Status: RO
Alan Lloyd writes:
> Carl and the list FYI
Alan;
Might I suggest that SPKI is not for you and that, rather than getting
angry with it, you might simply want to not participate? There is
nothing wrong with agreeing to disagree and simply moving on...
Perry
From ???@??? Wed Aug 12 19:18:44 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id SAA26133
for <cme@clark.net>; Sun, 26 Jul 1998 18:49:01 -0400 (EDT)
Received: from blacklodge.c2.net (blacklodge.c2.net [208.139.36.35]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id SAA26136; Sun, 26 Jul 1998 18:40:01 -0400
Received: (from majordom@localhost) by blacklodge.c2.net (8.8.8/8.7.3) id PAA18564 for spki-outgoing; Sun, 26 Jul 1998 15:25:56 -0700 (PDT)
X-Authentication-Warning: blacklodge.c2.net: majordom set sender to owner-spki@c2.org using -f
Message-ID: <D1A949D4508DD1119C8100400533BEDC060771@DSG1>
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>,
"'Perry E. Metzger '"
<perry@piermont.com>
Cc: "''Carl Ellison ' '" <cme@acm.org>, "'''spki@c2.net' ' '" <spki@c2.net>
Subject: RE: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
Date: Mon, 27 Jul 1998 08:24:32 +1000
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: owner-spki@c2.net
Precedence: bulk
Status: O
Perry, fine by me. The unfortunate fact is that the IT industry sees
"simple PKI" and expects that to do the job of a real one. Just like
LDAP, Limited DAP.
I suppose one has to keep on saying SPKI is not really a PKI its about
taking a key, hashing it and making a Unique Id of it. The KI bit has
in fact been dropped off...
have fun.
regards alan
----------
From: Perry E. Metzger
To: Alan Lloyd
Cc: 'Carl Ellison '; ''spki@c2.net' '
Sent: 7/27/98 4:45:55 AM
Subject: Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
Alan Lloyd writes:
> Carl and the list FYI
Alan;
Might I suggest that SPKI is not for you and that, rather than getting
angry with it, you might simply want to not participate? There is
nothing wrong with agreeing to disagree and simply moving on...
Perry
From ???@??? Wed Aug 12 19:18:38 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id SAA20974
for <cme@clark.net>; Sun, 26 Jul 1998 18:27:00 -0400 (EDT)
Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id SAA61796 for <cme@acm.org>; Sun, 26 Jul 1998 18:17:59 -0400
Received: by DSG1 with Internet Mail Service (5.0.1458.49)
id <PVWD70YJ>; Mon, 27 Jul 1998 08:24:35 +1000
Message-ID: <D1A949D4508DD1119C8100400533BEDC060771@DSG1>
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>,
"'Perry E. Metzger '"
<perry@piermont.com>
Cc: "''Carl Ellison ' '" <cme@acm.org>, "'''spki@c2.net' ' '" <spki@c2.net>
Subject: RE: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
Date: Mon, 27 Jul 1998 08:24:32 +1000
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Status: O
Perry, fine by me. The unfortunate fact is that the IT industry sees
"simple PKI" and expects that to do the job of a real one. Just like
LDAP, Limited DAP.
I suppose one has to keep on saying SPKI is not really a PKI its about
taking a key, hashing it and making a Unique Id of it. The KI bit has
in fact been dropped off...
have fun.
regards alan
----------
From: Perry E. Metzger
To: Alan Lloyd
Cc: 'Carl Ellison '; ''spki@c2.net' '
Sent: 7/27/98 4:45:55 AM
Subject: Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
Alan Lloyd writes:
> Carl and the list FYI
Alan;
Might I suggest that SPKI is not for you and that, rather than getting
angry with it, you might simply want to not participate? There is
nothing wrong with agreeing to disagree and simply moving on...
Perry
From ???@??? Wed Aug 12 19:18:43 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id SAA26102
for <cme@clark.net>; Sun, 26 Jul 1998 18:48:56 -0400 (EDT)
Received: from blacklodge.c2.net (blacklodge.c2.net [208.139.36.35]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id SAA50172; Sun, 26 Jul 1998 18:39:56 -0400
Received: (from majordom@localhost) by blacklodge.c2.net (8.8.8/8.7.3) id PAA18672 for spki-outgoing; Sun, 26 Jul 1998 15:30:21 -0700 (PDT)
X-Authentication-Warning: blacklodge.c2.net: majordom set sender to owner-spki@c2.org using -f
Message-Id: <199807262230.SAA04605@jekyll.piermont.com>
To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
cc: spki@c2.net
Subject: Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
In-reply-to: Your message of "Mon, 27 Jul 1998 08:24:32 +1000."
<D1A949D4508DD1119C8100400533BEDC060771@DSG1>
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Sun, 26 Jul 1998 18:30:09 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: owner-spki@c2.net
Precedence: bulk
Status: O
Alan Lloyd writes:
> Perry, fine by me. The unfortunate fact is that the IT industry sees
> "simple PKI" and expects that to do the job of a real one.
It is my opinion that it would, but I believe we've already been
through that. The purpose of this list is not (currently) to have
pointless arguments that won't end anywhere. I'd like to end this now.
Perry
From ???@??? Wed Aug 12 19:18:45 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id SAA26590
for <cme@clark.net>; Sun, 26 Jul 1998 18:50:56 -0400 (EDT)
Received: from blacklodge.c2.net (blacklodge.c2.net [208.139.36.35]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id SAA34600; Sun, 26 Jul 1998 18:41:55 -0400
Received: (from majordom@localhost) by blacklodge.c2.net (8.8.8/8.7.3) id PAA18723 for spki-outgoing; Sun, 26 Jul 1998 15:39:29 -0700 (PDT)
X-Authentication-Warning: blacklodge.c2.net: majordom set sender to owner-spki@c2.org using -f
Message-ID: <D1A949D4508DD1119C8100400533BEDC060774@DSG1>
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
To: "''Carl Ellison ' '" <cme@acm.org>, "'Ian Brown '" <I.Brown@cs.ucl.ac.uk>
Cc: "'spki '" <spki@c2.net>
Subject: RE: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
Date: Mon, 27 Jul 1998 08:38:13 +1000
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: owner-spki@c2.net
Precedence: bulk
Status: O
Thank you for this pile of "Cods" Ian
notes follow.
----------
From: Ian Brown
To: Alan Lloyd; 'Carl Ellison '
Cc: spki
Sent: 7/26/98 9:27:43 PM
Subject: Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
>I believe that names work in EC because to date
>the way in which I go around this planet is with my name
Your examples actually support the SPKI case -- they are most definitely
not name certificates.
I use my name when I check into an airline and I show them my Qantas
card.
I use my passport with my name, signature and photo on it.
etc, etc
>amex
Nope -- the merchant cares about the payment authorised by your account
number, not your name.
my siganture and my name on the card and this is checked by the merchant
- but that is in the real world before the transaction goes on the wire
- what world are you in?
>my air tickets
No. Access token issued by air company after payment. Name is to comply
with govt. regulations (matching your drivers license/passport) not to
support e-commerce.
But my name is on the ticket and in the airline system - does this not
support the EC of the Airline - regardless of policy???
>my passport
Government access token to other countries. Name is largely irrelevant
-- passport number may be used to access a CRL (wanted list). And since
when was a passport vital for e-commerce?
but we want to support passport systems with electronic operations...
and peoples authenticated names to photo IDs ...
>my bank accounts
Account number is important, not name.
ditto
>my car insurance.
ditto
Certificate issued by insurance company promising to pay you or others
in case of accident. If you crash into someone, they don't care what
your name is, they just want you to pay up.
>May I say it seems pointless inventing things that are pointless.
I think this is better said to the PKIX group.
Ian.
Oh dear is all I can say... Perhaps you would like to tell the whole
planet how they build IT systems that use internalise numbered things
and relate these to real authenticated users..
>From your comments - the whole IT industry is wrong and all the people
who use any form of named based identification.
For my part I have been involved with very big systems for many years -
in the real world...
regards alan
From ???@??? Wed Aug 12 19:18:41 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id SAA24323
for <cme@clark.net>; Sun, 26 Jul 1998 18:40:45 -0400 (EDT)
Received: from dsg1.OpenDirectory.com.au ([203.108.249.145]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id SAA61818 for <cme@acm.org>; Sun, 26 Jul 1998 18:31:41 -0400
Received: by DSG1 with Internet Mail Service (5.0.1458.49)
id <PVWD70YL>; Mon, 27 Jul 1998 08:38:15 +1000
Message-ID: <D1A949D4508DD1119C8100400533BEDC060774@DSG1>
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
To: "''Carl Ellison ' '" <cme@acm.org>, "'Ian Brown '" <I.Brown@cs.ucl.ac.uk>
Cc: "'spki '" <spki@c2.net>
Subject: RE: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
Date: Mon, 27 Jul 1998 08:38:13 +1000
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Status: O
Thank you for this pile of "Cods" Ian
notes follow.
----------
From: Ian Brown
To: Alan Lloyd; 'Carl Ellison '
Cc: spki
Sent: 7/26/98 9:27:43 PM
Subject: Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>
>I believe that names work in EC because to date
>the way in which I go around this planet is with my name
Your examples actually support the SPKI case -- they are most definitely
not name certificates.
I use my name when I check into an airline and I show them my Qantas
card.
I use my passport with my name, signature and photo on it.
etc, etc
>amex
Nope -- the merchant cares about the payment authorised by your account
number, not your name.
my siganture and my name on the card and this is checked by the merchant
- but that is in the real world before the transaction goes on the wire
- what world are you in?
>my air tickets
No. Access token issued by air company after payment. Name is to comply
with govt. regulations (matching your drivers license/passport) not to
support e-commerce.
But my name is on the ticket and in the airline system - does this not
support the EC of the Airline - regardless of policy???
>my passport
Government access token to other countries. Name is largely irrelevant
-- passport number may be used to access a CRL (wanted list). And since
when was a passport vital for e-commerce?
but we want to support passport systems with electronic operations...
and peoples authenticated names to photo IDs ...
>my bank accounts
Account number is important, not name.
ditto
>my car insurance.
ditto
Certificate issued by insurance company promising to pay you or others
in case of accident. If you crash into someone, they don't care what
your name is, they just want you to pay up.
>May I say it seems pointless inventing things that are pointless.
I think this is better said to the PKIX group.
Ian.
Oh dear is all I can say... Perhaps you would like to tell the whole
planet how they build IT systems that use internalise numbered things
and relate these to real authenticated users..
>From your comments - the whole IT industry is wrong and all the people
who use any form of named based identification.
For my part I have been involved with very big systems for many years -
in the real world...
regards alan
Follow-Ups: