Hal wrote:
Jeff Weinstein <jsw@netscape.com> writes:
I think the old idea of a certificate just binding a name and a key is turning out to not be very useful. That is why Netscape Navigator 2.0 will support x509 version 3 certificates. They allow arbitrary attributes to be signed into a certificate. In this new world, you can think of a certificate as a way of binding a key with various arbitrary attributes, one of which may be(but is not required to be) a name.
OK, so suppose I want to send my credit card number to Egghead Software. I get one of these new-fangled certificates from somebody, in which VeriSign has certified that key 0x12345678 has hash 0x54321. I think we can agree that by itself this is not useful. So, it will also bind in some attribute. What will that attribute be?
It would be some value that would allow the credit card authorization agency to match it up with the submitted credit card number. In the case of MasterCard's SEPP they are using a salted hash of the Account Number, where the salt value is unique per account, is secret, and is shared between the bank and the card holder. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.