Re: iKP requirement for privacy

• To: www-security@ns2.rutgers.edu, nedbob@sequent.com
• Subject: Re: iKP requirement for privacy
• From: frazier@orionb.TTI.COM (Kent Frazier)
• Date: Mon, 8 May 95 10:10:18 PDT

> In the iKP paper section C5 paragraph a, it states:
> 
> "Privacy, The privacy of order information and amount of payment should be 
> implemented independently of the the payment protocol, e.g. SHTTP or SSL"
> 
> Why?
> 
> The merchant already knows this information as a result of the customers 
> interaction with the cyber-store. What is the security principle that 
> motivates the above requirement?
> 
> Regards,
> Ned Smith
> nedbob@sequent.com  
> 
I assume that there are actually two issues surfacing here. I think the idea
is that the merchant should only know what he absolutely needs to know, and 
the payment authorizer(the bank) should only know what it absolutely
needs to know. The first restricts merchant based fraud (i.e. if the merchant
doesn't know the details of the payment authorization, it can't send in a 
duplicate transaction for example), and the bank doesn't need to know what
merchandise you're buying (privacy issue). 

• Previous: Credit Card privacy
• Next: Re: Credit Card privacy
• Index(es):
  • Index
  • Thread