EU DIRECTIVE ON SIGNATURES
William H. Geiger III
whgiii at openpgp.net
Mon, 24 Aug 1998 08:02:32 -0500
-----BEGIN PGP SIGNED MESSAGE-----
In <199808241028.LAA16234@clw.cs.man.ac.uk>, on 08/24/98
at 11:28 AM, chl@clw.cs.man.ac.uk (Charles Lindsey) said:
> On Sun, 23 Aug 1998 19:19:12 +0100
> Ian Brown <I.Brown@cs.ucl.ac.uk> said...
>>
>> > Likely they will want to know if the delivery address for the
>> > goods relates to the buyer (or at least to the same entity as
>> > payment is promised by).
>>
>> As Richard said, they will almost certainly want payment before delivering
>> the goods. Once payment is made, they don't care two hoots if the buyer has
>> given the wrong address.
>Sure, that is fine for credit card transactions between small parties,
>but that is not true of "business" in general, where up-front payment is
>the exception rather than the rule.
>If I am a large chemical conglomerate manufacturing fertiliser, and I
>receive an order for many tons of the stuff from an agricultural merchant
>whom I have not dealt with before, I would in principle welcome this new
>business. I would not expect him to be paying by credit card. He would be
>asked to pay within 30 days (and privately I would be satisfied if he
>paid within 6 months - such is the way things are). As an agricultural
>merchant, he is probably well known in that trade - I may already be
>aware which of my competitors used to supply him previously. So what I
>really want to know is whether the order really came from him, and not
>From the Real IRA. Funny - he seems to want the stuff delivered rather
>quickly, and it is to be delivered to an obscure depot in Dundalk ...
Well 1st off, if you get a large order from a new customer and are not
calling him within 5mins of receiving order, you are in the wrong line of
work. :)
If you are a large corporation selling products on credit then you *must*
be your own CA and you will go through the same processes of extending
credit as a bank will. It is quite silly to think that just because
someone sends you an order for $100,000 signed with a TTP Cert that you
will accept it and ship off product.
>>
>> To be quite honest, what percentage of Internet transactions are likely to
>> involve export-controlled goods? Certainly not enough to base the whole
>> certification infrastructure upon.
>I would hope we are trying to construct an infrastructure that will be
>applicable in a wide variety of commercial and non-commercial situations.
Design flexible and adaptable systems rather than rigid, top down,
government mandated systems.
>>
>> > Yes, but amazon.com would be most concerned that the entity that
>> > purported to state that the number you quoted was good for the amount in
>> > question was indeed that well known organisation VISA, and a certificate
>> > to that effect (perhaps from a CA) should resolve that.
>>
>> Well, a certificate from Visa themselves would be best (by signing the
>> issuing bank's certificate, who would sign the cardholder's SET
>> certificate.)
>Indeed, if you knew it was from Visa.
Easy enough to verify.
>The real question at issue is how easy it would be to manage a scam
>involving a large interacting set of bogus certificates, all
>crosspointing at each other and including bogus CAs, which are then used
>to rip-off some unsuspectig dupes. A bogus manufactured web-of-trust, in
>fact. Yes, it would be a lot or work to produce such a bogus web, but
>computers could be rather good at doing that sort of thing.
Well you can't save the clueless from themselves.
Anyone who know what they are doing would never be duped by a bogus "web
of trust". You must build your own web of trust. Someone else can't build
it for you. It's not somthing the pencil pushers in government can mandate
(well they can but it woun't work).
- --
- ---------------------------------------------------------------
William H. Geiger III http://www.openpgp.net
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
- ---------------------------------------------------------------
Tag-O-Matic: Rumour: NT means Not Tested
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000
iQCVAwUBNeFn7I9Co1n+aLhhAQExfAP9HLv5nYy1Mmm5VFUco6SY+BcfBdLvK6kN
eYU6jxgVq5skSZuaJK5F0QvbMdU+jTY8VYyJ90/GKfp21zUDWPFWMhG9xBUyLDgU
YufnIpC8HPPJ6Z84hjLLE1OScPa4ZIDcAhHCiOLDCB3p1NbVNhzCfjYmh/XkAwoP
v5eB9hMv60g=
=l1om
-----END PGP SIGNATURE-----