[2604] in cryptography@c2.net mail archive
Java wallets was: Credit cards crushing virtual cash
daemon@ATHENA.MIT.EDU (Pat Farrell)
Tue Apr 28 23:19:33 1998
Date: Tue, 28 Apr 1998 23:05:24 -0400
To: Robert Hettinga <rah@shipwright.com>, cypherpunks@cyberpass.net,
cryptography@c2.net
From: Pat Farrell <pfarrell@netcom.com>
In-Reply-To: <v04003a01b1678026f773@[139.167.130.247]>
This is slightly off topic, so I'll be quick in correcting a misunderstanding...
At 07:12 AM 4/26/98 -0400, Robert Hettinga quoted someone saying:
>CyberCash, for example, has turned its cyber wallet into a Java applet
>that will run on merchants' Web sites, much as credit card transaction
>processing systems run on cyberstores today.
This is not quite accurate, and since I'm writing the Java applet,
I think I'm a pretty good source....
CyberCash's Java wallet will run as a classic thin client.
The presentation runs on the client's computer, but all the
serious code runs on a secure server located in a real operational
datacenter (run by CyberCash, a bank, or some other appropriate party).
The secure server will talk to both the Merchant's web site, and to the
financial system. Communication to the financial system will be based upon
either CyberCash's existing secure protocols, or other protocols/services
such as SET or even something like a Mondex. No important code,
at least in the sense of the security of the financial transaction,
executes on the merchants' web site.
If folks (customers, banks, credit card associates, etc.) insist,
we can perform local crypto on the consumer's PC.
Some engineers don't think that relying on consumer selected passwords
to protect files that can be attacked offline with any of a number of
dictionary attacks is nearly as strong as storing the sensitive
data on a properly secured machine. But that is a separate topic....
While CyberCash merchants traditionally ran their "cash register" software
on their own site, recent releases of the CyberCash cashregister
product can run the cash register on our secure site as well.
If the Java wallet is talking to a cashregister that is also
executing on our site, then we don't need to do as much heavyweight
cryptography, and can speed up processing. If not, both the
classic CyberCash protocols, and protocols such as SET, use standard
strong crypto like RSA wrapping DES session keys.
[I had to get some cryptographic content in this :-)]
Pat
Pat Farrell CyberCash, Inc. (703) 715-7834
pfarrell@cybercash.com
#include standard.disclaimer
