Re: iKP requirement for privacy

• To: www-security@ns2.rutgers.edu
• Subject: Re: iKP requirement for privacy
• From: "M. L. Grant" <grant@medio.com>
• Date: Fri, 5 May 1995 08:59:52 -0700

Ned Smith, <nedbob@sequent.com>, said:

>"Privacy, The privacy of order information and amount of payment should be 
>implemented independently of the the payment protocol, e.g. SHTTP or SSL"
> [ . . . ]
>The merchant already knows this information as a result of the customers 
>interaction with the cyber-store. What is the security principle that 
>motivates the above requirement?

It's probably not so much a _security_ issue as it is a
_privacy_ issue.  In the same way that it's no-one's business
what library books a person has checked out, it's also no-one's
business what products someone has purchased from an on-line
mall or how much he has spent there.

Keeping the two sets of information separate is safer for the
fulfillment house in case of some catastrophe like a systems
failure, a security breach, etc.


M. L. Grant
<grant@medio.com>
<URL:http://www.medio.net/users/grant/index.htm>

• Previous: Re: NCSA httpd: patch for CGI insecurity
• Next: Re: NCSA httpd: patch for CGI insecurity
• Index(es):
  • Index
  • Thread