1995-10-06 - Re: Certificate proposal

Header Data

From: Jeff Weinstein <jsw@netscape.com>
To: cypherpunks@toad.com
Message Hash: c2aba9badc68833644244ed021c0782d48cff0e689524deb1fb30ac76c3ef4b2
Message ID: <3074D42E.58DE@netscape.com>
Reply To: <199510060358.UAA03869@orac.engr.sgi.com>
UTC Datetime: 1995-10-06 07:04:44 UTC
Raw Date: Fri, 6 Oct 95 00:04:44 PDT

Raw message

From: Jeff Weinstein <jsw@netscape.com>
Date: Fri, 6 Oct 95 00:04:44 PDT
To: cypherpunks@toad.com
Subject: Re: Certificate proposal
In-Reply-To: <199510060358.UAA03869@orac.engr.sgi.com>
Message-ID: <3074D42E.58DE@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain

Tom Weinstein wrote:
> In article <DG06FE.IA8@sgi.sgi.com>, Hal <hfinney@shell.portal.com> writes:
> > OK, so suppose I want to send my credit card number to Egghead Software.
> > I get one of these new-fangled certificates from somebody, in which
> > VeriSign has certified that key 0x12345678 has hash 0x54321.  I think we
> > can agree that by itself this is not useful.  So, it will also bind in
> > some attribute.  What will that attribute be?
> Um, just a wild guess, but... your credit card number maybe?  (Well,
> okay, its hash.)

  The hash of just the card number isn't good enough.  If you collected
a bunch of certificates (they are public) then you could start guessing
valid card numbers and trying to match the hashes with your database.
The Mastercard SEPP proposal uses a salted hash, where the salt is
a shared secret between the bank and the user.


> --
> Sure we spend a lot of money, but that doesn't mean    |  Tom Weinstein
> we *do* anything.  --  Washington DC motto             |  tomw@engr.sgi.com

  There are too many Weinsteins hanging out here lately...  :-)

Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.