CC shared secret

[Charles Lindsey]

On Thu, 07 Aug 2008 17:26:56 +0100, Roland Perry  
<lists@internetpolicyagency.com> wrote:

> In article <op.ufiibclh6hl8nm@clerew.man.ac.uk>, Charles Lindsey  
> <chl@clerew.man.ac.uk> writes
>> I think you have to trust CYCOTA to the same extent that you trust your  
>> Bank.
>
> What worries me about this whole thing is that the card companies want  
> us to keep the secrets secret, and then invent ways that to a casual  
> observer might appear to be leaking the secret to third parties. So who  
> else might they think we are supposed to know to trust?

Well I did complain to Natwest/RBS when I first saw the CYCOTA  
certificate, but they did confirm that CYCOTA were their appointed agents.

CYCOTA seem to be able to go to the trouble of including the correct  
bank's logo on the page they exhibit, so surely it would not be beyond the  
wit of man to arrange for them to exhibit a certificate traceable to the  
relevant bank. All it needs is a specially constructed key pair with short  
expiry (so there is little rist in letting CYCOTA have the private key),  
itself signed by one of the bank's better known keys which in turn would  
be signed by the usual Verifraud clowns.

<rant>
One of my complaints about the whole SSL certificate system is that you  
are offered no choice of which ultimate CA the certificate relies on - you  
just get whoever the site in question chose to patronize. It would have  
been far better for each site to get itself certified by more than one CA,  
and to present certificates from them all. Then I could safely tell my  
browser not to recognize Verifraud.
</rant>

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5