-----BEGIN PGP SIGNED MESSAGE----- In <199711121751.JAA01757@slack.lne.com>, on 11/12/97 at 09:51 AM, Eric Murray <ericm@lne.com> said:
[details: according to the spec the cardholder sends to the merchant thumbs (SHA1 hashes) of all the certs in the cardholder's cert cache. Since this will contain certs from merchants the cardholder has made purchases from in the past, a merchant could simply match up those merchant cert thumbs with cert thumbs he obtains from other merchants, allowing him to build a list of merchants the cardholder has attempted to make purchases from].
Sorry I haven't been keeping track of the SET but why would a merchant need this info in the first place??? If anything one would think that this would be client driven not server driven (ie the client queries the merchant for the hash of his cert to see if the client already has a copy or not). I am not quite sure what they are trying to accomplish by this unless what you consider a "flaw" is realy a "feature by design"? - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNGn49o9Co1n+aLhhAQF7GAP+K2xbLQCLvFaR4nBpOOT3BfGoTtMikOvs nhm3n4J3ALkIUtReRcwi3rc4q9/+TUK3Rq8gfVzFBCsFyDyAQLVMUCFBn7Ybja+j qdloRfG4Tw2ueMOyaaO2/ao03s9tgOfP2Cfa0CwyScQI8BWMMoeKBongeSYZgMsm bqGEG+XXyr4= =rAEt -----END PGP SIGNATURE-----