On 2/24/17 06:14, Anders Rundgren wrote: > A payment ecosystem consists of independently managed systems where > particularly Merchants' and Users' systems are not assumed to be > perfect. A Merchant signature (if it can be securely derived to the > claimed Merchant identity NB...), at least provides some kind of proof > that the involved parties are actually dealing with the same data. So > I would rather characterize this as a basic data integrity solution. I'd characterize it as blindly and randomly applying security technologies in the naïve hope that doing so will somehow make the system "better" in a way that can't be explained. Start with a threat model. Then come up with countermeasures. Just throwing signatures into the mix without an understanding of why you're doing so -- specifically, knowing exactly what attack you're preventing -- leads to implementation complexity and the illusion of improved security, with no real benefit. -- Adam Roach Principal Engineer, MozillaReceived on Friday, 24 February 2017 17:39:37 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:43:24 UTC