I doubt if fast/fstc participants would look at the following example as a prime example .... but there are various "age" authentication services that are available on the internet today ... basically associated with adult entertainment ... but would also be applicable to online gambling, various kinds of online purchases (alchohol), etc. It doesn't have to identify who you are ... it just has to be able to answer the question that you are at least of legal age.
now, it turns out that most of these services use effectively a "loop-hole" in the current online credit card system to implement their age authentication operation. There is such a thing in the industry called a "one dollar auth". Credit card operations typically have financial transactions authentication and authorized in real time .... but the actual request for funds transfer is typically submitted in batches ... at end of day or possibly end of shift. A "one dollar auth" is an authorization request for a one dollar credit card transaction, typically also with name & AVS (address verification) data. If the name, account number, and AVS all verify .... and there are no other outstanding problems .... then the request comes back approved. The "age" authentication services typically are registering individuals by requesting the information to perform a "one dollar auth" .... where there is no subsequent batch submission for actual funds tranfer. If the "one dollar auth" is approved, the age authentication services take the result as indication of legal age .... the credit card owner needing to have been of legal age to have legally signed the credit card contract and obtained the credit cad in the first place. Since no funds transfer actually takes place, nothing shows up on the consumer's credit card bill. The age verification service is charged a very nominal transaction fee for the "one dollar auth" (along with the AVS transaction). The age verification service then just packages that one time charge into the fees that they charge their customers. They effectively maintain a local "cache" of the answer to the "one dollar auth" transaction. I would contend that the evidence that such things are going on today ... is that the current system is "open" in the sense that it has open standards (like ISO 8583) and lots of entities are making use of it. In theory, one opportunity for FAST-like offerings is for the financial industry to get directly into the age authentication service business (in theory being able to do it at least as well with the data as the 3rd party players out there today). A x9.59-like transaction can be defined .... but in place of "dollar amount", there are misc. other types of fields .... like "legal age". The consumer then digitally signs the transaction and forwards it to the merchant or server. The server takes the transactions and ejects it into the appropriate authentication network (very much like credit card transactions are done today) and gets back a "YES/NO" answerr (again very much like credit card transactions happen today) .... the only difference is instead of asking for consumer funds approval, the merchant is asking question about legal age. Identity information isn't being divulged ... not even date-of-birth ... which could raise a serious identity fraud question .... just answerring YES/NO to the legal age question. It could look like an X9.59 transaction, taste like an X9.59 transaction ... but instead of having funds involved, it has legal age involved. It effectively creates an "open" online, authentication infrastructure ... requiring consumer to digital sign the transaction .... and a recognized certification authority providing real time, non-privacy invasive, answers. It otherwise has all the elements of an open public key infrastructure (registration authorities, certification authorities, consumers, relying parties, etc) w/o any certificates. In that sense it is an online PKI paradigm .... rather than the certificate-based offline PKI paradigm (which emulates the pre-70s offline credit card infrastructure). <[EMAIL PROTECTED]> at 12/26/2001 2:36 pm wrote: in addition to the x9.59 for all electronic payment transactions ... it is possible to extend online authentication where the institution possibly isn't also responsible for the authorization (and/or access privileges).... things like FAST projects in FSTC: http://www.fstc.org/projects/fastaggregation.cfm --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
