Re: iKP requirement for privacy

• To: "Ned Smith (nedbob)" <nedbob@sequent.com>
• Subject: Re: iKP requirement for privacy
• From: Amir Herzberg <amir@watson.ibm.com>
• Date: Fri, 05 May 1995 17:17:24 -0400
• Cc: "'www-security mailing list'" <www-security@ns2.rutgers.edu>, e-payment@cc.bellcore.com
• In-Reply-To: Your message of "Thu, 04 May 1995 15:07:00 PDT." <2FA95202@ushqgw.sequent.com>

Ned says,

>
> In the iKP paper section C5 paragraph a, it states:
>
> "Privacy, The privacy of order information and amount of payment should be
> implemented independently of the the payment protocol, e.g. SHTTP or SSL"
>
> Why?

This indeed was (and is) debated much. Some felt very strongly that a
viable implementation would not use security until the purchase. As the
penalty to add this requirement is small, we kept it, although I do feel
that properly encryption of data should be handled by a lower layer since
as you argue if customer cares of this, he'll need it earlier.

I think the standard should allow the encryption to be skipped if a lower
layer already does it.

However the seperation of the order, i.e. not sending that to the acquirer,
this is an obvious privacy req' for the customer.

BTW, you may want to do these discussions on e-payment list (see above)
rather than potentially boring www-sec folks who are not interested in this
subject.

Best, Amir

End of Ned's message for e-payment folks:
>
> The merchant already knows this information as a result of the customers
> interaction with the cyber-store. What is the security principle that
> motivates the above requirement?
>
> Regards,
> Ned Smith
> nedbob@sequent.com

• iKP requirement for privacy
• From: "Ned Smith (nedbob)" <nedbob@sequent.com>

• Previous: Re: iKP requirement for privacy
• Next: Credit Card privacy
• Index(es):
  • Index
  • Thread