Tom Weinstein wrote:
In article <DG06FE.IA8@sgi.sgi.com>, Hal <hfinney@shell.portal.com> writes:
OK, so suppose I want to send my credit card number to Egghead Software. I get one of these new-fangled certificates from somebody, in which VeriSign has certified that key 0x12345678 has hash 0x54321. I think we can agree that by itself this is not useful. So, it will also bind in some attribute. What will that attribute be?
Um, just a wild guess, but... your credit card number maybe? (Well, okay, its hash.)
The hash of just the card number isn't good enough. If you collected a bunch of certificates (they are public) then you could start guessing valid card numbers and trying to match the hashes with your database. The Mastercard SEPP proposal uses a salted hash, where the salt is a shared secret between the bank and the user. --Jeff
-- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@engr.sgi.com
There are too many Weinsteins hanging out here lately... :-) -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.