On Thu, 19 Oct 1995, Hal wrote:
The point I was really trying to make, though, was whether the
experience with using credit cards as ID in the real world provides any
lessons for the use (or misuse) of credit card companies as
"certification authorities". A credit card company provides a
credential or certificate which includes a user name, credit card
number, and public key (I am not familiar with the details of the
various proposals, but I gather that similar information is included).
Neither the MasterCard nor the VISA proposal has the users name or
credt card number in their certificates. At this level of non-detail,
the proposals are identical in both providing only a binding between a
salted hash of the card number and a credit card number. The
cardholder has to present this salt along with their certificate to be
validated.
They are worried (it is suggested here) that people will take those and
use them to prove identity in other contexts. Merchants might demand
to see those credentials in order to be sure of the identity of the
person they are dealing with. This could raise a liability issue for the
CC company if the identity is faked.
There isn't any way for the merchant to use the certificate to veryify a
name. And they can't get the credit card number unless they have the
salt.
(Do I understand the issue correctly? I confess that I don't see exactly
what situation people might take a credential/certificate from a credit
card company and use it for identification in such a way that the credit
card company would object. Perhaps a concrete example would be helpful.)
People have used plastic credit cards as proof of credit worthiness
and people have sued credit card companies for having issued a card to
someone who stiffed them.
To me this situation sounds very analogous to the one where credit cards
with names on them are used to facilitate various transactions which may
not involve the credit card companies directly. Was there a liability
concern there, that if someone got a Citibank card in a fake name and
some other person relied on their identity, then Citibank could get sued?
I don't recall the issue being framed in those terms.
Hal Finney
Donald
=====================================================================
Donald E. Eastlake 3rd +1 508-287-4877(tel) dee(_at_)cybercash(_dot_)com
318 Acton Street +1 508-371-7148(fax)
dee(_at_)world(_dot_)std(_dot_)com
Carlisle, MA 01741 USA +1 703-620-4200(main office, Reston, VA)