Co-op Bank and Verified by Visa

Charles Lindsey chl at clerew.man.ac.uk
Wed Jun 24 12:39:46 BST 2009 

On Tue, 23 Jun 2009 21:35:31 +0100, Peter Fairbrother  
<zenadsl6186 at zen.co.uk> wrote:

> LLoyds Clicksafe T&C's say they use RSA Security Ireland Ltd., or a  
> subsidiary, to do the verification for them, so afaict (unless RSASI are  
> operating using the lloyds.com name, which would be - ugly) in a normal  
> transaction a Lloyds certificate wouldn't be used, and in many cases, eg  
> if the retailer uses an iFrame, the certificate wouldn't be visible.

No, that is not correct. Consider the following scenario.

1. Lloyds generate a public/private key pair (probably with a shortish  
TTL) together with a certificate asserting themsleves as owners, and  
signed by another of their well-trusted certificates (as backed by a chain  
going right back to Verisign).

2. Lloyds provide a copy of the private key to RSA Ireland, and instruct  
them to use that key and provide that certificate when soliciting  
SecureKeys from Lloyds customers (it would be unwise for LLoyds to use  
that particular key for any other purpose).

3. The customer sees a window asking for his SecureKey which is evidently  
encrypted with a key belonging to Lloyds, as vouched for by a (possibly  
slightly longer than usual) chain going right back to Verisign; in spite  
of the fact that the window actually came from RSA Ireland (maybe via the  
Merchant) and that the reply will go back to RSA Ireland.

4. It might be technically necessary to create a special domain  
RSA-Lloyds.co.ie resolving to one of RSA's usual IP addresses and to refer  
to this in the certificate, but the snail-mail address in the certificate  
would still be Lloyds well-known corporate London address.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

More information about the ukcrypto mailing list