EU DIRECTIVE ON SIGNATURES
Ian Brown
I.Brown at cs.ucl.ac.uk
Sun, 23 Aug 1998 19:19:12 +0100
> Likely they will want to know if the delivery address for the
> goods relates to the buyer (or at least to the same entity as
> payment is promised by).
As Richard said, they will almost certainly want payment before delivering
the goods. Once payment is made, they don't care two hoots if the buyer has
given the wrong address.
If they don't get payment before delivery, what they really want is a
subpoena certificate (described in the SPKI documents) that allows them to
serve a writ on the buyer if they default. But again, in almost all cases
the cost of persuing bad debts would be too high so they will not allow
this.
> But they
> could as easily want to know the actual identity (they might prefer not
> to send goods to a certain wealthy Arab living in Afghanistan, though I
> am sure that gentleman's creditworthiness is entirely beyond reproach).
To be quite honest, what percentage of Internet transactions are likely to
involve export-controlled goods? Certainly not enough to base the whole
certification infrastructure upon.
And I am sure Mr. bin Laden would have many other X.509 certificates for
his aliases.
> Yes, but amazon.com would be most concerned that the entity that
> purported to state that the number you quoted was good for the amount in
> question was indeed that well known organisation VISA, and a certificate
> to that effect (perhaps from a CA) should resolve that.
Well, a certificate from Visa themselves would be best (by signing the
issuing bank's certificate, who would sign the cardholder's SET
certificate.)
As Carl Ellison said, Visa are the authority on who can spend what with
their cards, not VeriSign or some other third party.
> The fact is that, for human comprehension, we feel more comfortable if
> we can put a plauisible name to otherwise anonymous entities, however
> tempting their certificates might look.
Which is probably the reason so many people are fooled into thinking
X.509-type infrastructures are the way to go. Once you look into the
problem in more detail, you see that is not the way to do it.
Ian.