Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:23
Bill Frantz (frantz@netcom.com)
Thu, 29 Apr 1999 09:31:57 -0700
At 9:36 AM -0700 4/28/99, Michael Bauer wrote:
>Howdy.
>
>A non-profig org. I know of wants to be able to accept credit-card pledges
>from members via the Web, but they don't have a lot of $$ to spend on the
>project (i.e., they don't want to hire any 3rd party to accept the
>credit-card pledges for them). Assuming their own web-server is secure,
>what do you guys think about the following scenario?:
>
>1. Member enters credit-card #, etc. in SSL-protected web form.
>
>2. Form data is processed by PERL script that uses PGP (or is there a
>PERL module that can do this?) to encrypt form data with accountant's
>public key, mails encrypted data to accountant.
>
>Is this a viable proposal, or is it too vulnerable to chosen-plaintext
>or other cryptanalytical attacks? Or are we barking up the wrong tree
>altogether? I'm convinced that with a little effort we can construct a
>secure solution using established free/share-ware tools.
Given the $50 limit on end user liability for credit card fraud, I think
this approach is reasonable, even with 40 bit SSL. There are just too many
easier ways to steal money.
-------------------------------------------------------------------------
Bill Frantz | Macintosh: Didn't do every-| Periwinkle -- Consulting
(408)356-8506 | thing right, but did know | 16345 Englewood Ave.
frantz@netcom.com | the century would end. | Los Gatos, CA 95032, USA
The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:23