On Mon, Jan 5, 2009 at 1:16 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: > Ian G wrote, On 2009-01-05 11:28: >> We know as a more or less accepted fact that the design of secure >> browsing was for Credit Cards, > > I believe that you've accepted that as fact. But PR and marketing is not > design. It was designed for MUCH more than mere credit cards. > >> and the benefit there is solely for CC vendors, not consumers, because >> the consumers are already covered by the $50 liability limit. They never >> had any real concern whatsoever that anyone was reading their cc >> numbers.) > > Only in the USA is that even close to true. And even in the USA, the > damage caused by a stolen credit card is far broader than whatever > monetary value the thief got with the stolen number. But that's somewhat > moot because CCs are NOT and never were the sole reason for the design > of SSL. (Did you read what I previously wrote about SSL vs SET?)
In the US, there's a federal $50 limit on cardholder liability, provided some requirements are met (and there are certain exceptions which impose a $0 liability limit). Also in the US (specifically related to US-issued cards) VISA and MasterCard impose a no-liability policy, provided the same conditions as required for the $50 liability limit are met. The problem, Nelson, is that the entire system as presented to the user -- the lock icon, SSL (which was originally designed by Netscape), and everything -- was designed to enable electronic commerce once the Commercial Internet Exchange was created. Netscape's business reason for creating SSL was to enable electronic commerce. There's no disclosure of how much Netscape was paid by Verisign and other CAs to be part of the root program (though you said that it was widely believed to be USD 100K, which was used to fund the development of SSL). The fact that the protocol is useful for other things is a compete and utter red herring in this conversation, since the policies of Mozilla's root program maintain the requirements imposed by ANSI X9 *for financial certification authorities*. In fact, if I remember correctly, EV was intended to reduce the risk of disclosure of *financial information* by phishing. Even if SSL wasn't specifically designed to be only used to protect credit cards (generalized into 'financial information', since it is), that was one of the most important goals (by the funders of the SSL development, if not by Netscape itself). -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
