EU DIRECTIVE ON SIGNATURES

Charles Lindsey chl at clw.cs.man.ac.uk
Mon, 24 Aug 1998 11:28:52 +0100 

	On Sun, 23 Aug 1998 19:19:12 +0100
	Ian Brown <I.Brown@cs.ucl.ac.uk> said...

> 
> > Likely they will want to know if the delivery address for the
> > goods relates to the buyer (or at least to the same entity as
> > payment is promised by).
> 
> As Richard said, they will almost certainly want payment before delivering
> the goods. Once payment is made, they don't care two hoots if the buyer has
> given the wrong address.

Sure, that is fine for credit card transactions between small parties,
but that is not true of "business" in general, where up-front payment is
the exception rather than the rule.

If I am a large chemical conglomerate manufacturing fertiliser, and
I receive an order for many tons of the stuff from an agricultural
merchant whom I have not dealt with before, I would in principle welcome
this new business. I would not expect him to be paying by credit card.
He would be asked to pay within 30 days (and privately I would be
satisfied if he paid within 6 months - such is the way things are).
As an agricultural merchant, he is probably well known in that trade
- I may already be aware which of my competitors used to supply him
previously. So what I really want to know is whether the order really
came from him, and not from the Real IRA. Funny - he seems to want the
stuff delivered rather quickly, and it is to be delivered to an obscure
depot in Dundalk ...
> 
> To be quite honest, what percentage of Internet transactions are likely to
> involve export-controlled goods? Certainly not enough to base the whole
> certification infrastructure upon.

I would hope we are trying to construct an infrastructure that will
be applicable in a wide variety of commercial and non-commercial
situations.
> 
> > Yes, but amazon.com would be most concerned that the entity that
> > purported to state that the number you quoted was good for the amount in
> > question was indeed that well known organisation VISA, and a certificate
> > to that effect (perhaps from a CA) should resolve that.
> 
> Well, a certificate from Visa themselves would be best (by signing the
> issuing bank's certificate, who would sign the cardholder's SET
> certificate.)

Indeed, if you knew it was from Visa.

The real question at issue is how easy it would be to manage a
scam involving a large interacting set of bogus certificates, all
crosspointing at each other and including bogus CAs, which are then used
to rip-off some unsuspectig dupes. A bogus manufactured web-of-trust, in
fact. Yes, it would be a lot or work to produce such a bogus web, but
computers could be rather good at doing that sort of thing.

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email:     chl@clw.cs.man.ac.uk  Web:   http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9     Fingerprint: 73 6D C2 51 93 A0 01 E7  65 E8 64 7E 14 A4 AB A5