[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate proposal

To: [email protected]
Subject: Re: Certificate proposal
From: Jeff Weinstein <[email protected]>
Date: Fri, 06 Oct 1995 00:01:02 -0700
Newsgroups: mcom.list.cypherpunks
Organization: Netscape Communications
References: [email protected] (Tom Weinstein) <[email protected]>
Sender: [email protected]

Tom Weinstein wrote:
> 
> In article <[email protected]>, Hal <[email protected]> writes:
> 
> > OK, so suppose I want to send my credit card number to Egghead Software.
> > I get one of these new-fangled certificates from somebody, in which
> > VeriSign has certified that key 0x12345678 has hash 0x54321.  I think we
> > can agree that by itself this is not useful.  So, it will also bind in
> > some attribute.  What will that attribute be?
> 
> Um, just a wild guess, but... your credit card number maybe?  (Well,
> okay, its hash.)

  The hash of just the card number isn't good enough.  If you collected
a bunch of certificates (they are public) then you could start guessing
valid card numbers and trying to match the hashes with your database.
The Mastercard SEPP proposal uses a salted hash, where the salt is
a shared secret between the bank and the user.

	--Jeff

> --
> Sure we spend a lot of money, but that doesn't mean    |  Tom Weinstein
> we *do* anything.  --  Washington DC motto             |  [email protected]

  There are too many Weinsteins hanging out here lately...  :-)

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.

References:
- Re: Certificate proposal
  - From: [email protected] (Tom Weinstein)

Prev by Date: Re: Certificate proposal
Next by Date: Re: Certificate proposal
Prev by thread: Re: Certificate proposal
Next by thread: Re: Certificate proposal
Index(es):
- Date
- Thread