[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [E-CARM] PKI, CAs, TTPs &c.


At 06:52 AM 3/27/98 -0800, Lynn.Wheeler@firstdata.com wrote:
>i believe so .... we actually have a distinction proposed that any
>digitally signed
>document attesting to the validity of a public/private key pairing is a
>... the distinction is that a client (in the bank case) sends (effectively)
>a self-signed
>certificate to the bank (CA) as part of certification process
>(demonstrating that the client
>has the private key that corresponds to the public key in the certification
>process) ...

This is a good step, but not all CAs do this, so we need to continue
telling people to do this.

>i.e. in effect all CAs that require proof by the client that the client has
>the private key
>... utilize some form of self-signed certificate (i.e. something signed by
>a private
>key attesting to something about the client's public key).
>in this particular financial case, the (financial institution) CA may or
>may not turn
>around and issue a certificate further certifying something about the
>public key ... and even if they do issue such a certificate  ... it
>doesn't mean that the client is required to return the certificate to the
>financial institution/CA ... whenever the client is executing a digitally
>transaction with the issuing FI/CA.

When I got a replacement ATM card, I had to go to the branch bank where I 
opened my account and where my signature was on file, sign a card in their 
presence, show them picture IDs, ..., and then they issued me a new ATM 
card.  I would be very annoyed with any bank that failed to protect access 
to my account by such procedures.  In particular, I would take my money out 
of any bank that issued the equivalent of ATM cards by an on-line-only 
procedure.  So, for issuing the cert giving me access to money, I would want 
at the very least to have my bank demand I come in to the brick & mortar 
branch, prove my access rights, and get a long random number -- to be used 
once (signed by my RSA key in a message asking for the new certificate).

Of course, this requirement goes away if I'm opening an account from 
scratch.  In that case (where there's no money already in the account), I'd 
be delighted if my bank allowed me to open the account on-line with a simple 
digitally signed message.

 - Carl

Version: PGP for Personal Privacy 5.5.3


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |

Follow-Ups: References: