Neither the MasterCard nor the VISA proposal has the users name or
credt card number in their certificates. At this level of non-detail,
the proposals are identical in both providing only a binding between a
salted hash of the card number and a credit card number. The
cardholder has to present this salt along with their certificate to be
validated.
True for MasterCard, but the STT spec doesn't spell out what information
is contained in the certificate. A "subject name" is defined in the
comment field of the credential definition, but no semantics. However, the
Cardholder Credential Request contains a field identified (in the
comments, again) as NameAsOnCard.
So I wouldn't necessarily assume that Visa doesn't include a name.
A real name is almost surely contained in the merchant certificate, as it
is in SEPP. Yet if a merchant uses his certificate/credential to sign
something, some of the same liability issues might apply.
In any case, the original discussion did not specifically address credit
card transactions. So unless pseudonyms are used (as in the case of
MasterCard), some of these issues may apply. That's my point, and I think
maybe we've flogged this horse sufficiently.
Bob
Robert R. Jueneman
GTE Laboratories
1-617-466-2820 Office
1-508-264-0485 Telecommuting