[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [ietf-trade Home]
Subject: RE: Questions about Withdrawal and Deposit Transaction on IOTP
Masaaki
See comments below.
David
----------
From: Masaaki Hiroyo
Sent: 07 October 1998 10:46
To: David Burdett
Subject: Questions about Withdrawal and Deposit Transaction on IOTP
David,
I have two basic questions about baseline withdrawal and baseline
deposit.
Question1
According to the IOTP specification (Figs 20 & 21), in baseline
deposit
a brand to be used is selected on HTML page but not TPO selection
message.
I think it is inconsistent with baseline withdrawal and baseline
purchase
because both of them use TPO selection message for brand selection but
baseline deposit doesn't.
Is there any reason why tpo selection is not used in baseline
deposit?
>>>There is an assumption that, when you are making a deposit, you
know what type of electronic cash you want to deposit. It doesn't
quite make sense to go to a bank web site and then to be asked which
Brand do you want to deposit. For example a Financial Institution
wouldn't ask "Do you want to deposit your electronic cash as Mondex,
as Visa Cash or as GeldKarte?".
However the TPO selection message is used to select the *payment
protocol* to use since you may have several different ways of
depositing Visa Cash for example. So the TPO Selection is used for
this purpose only. If you read step 3 in figures 20 and 21 it says
this. So what I suggest is that:
* we add clarification to section 7.2.2 on the fact only the payment
protocol is selected, and
* we also need to remove payment method selection from Deposit with
Authentication (see the answer to the next question for the reasons
why).
<<<
Question 2
In baseline withdrawal, TpoBlk and AuthReqBlk are sent in the first
message.
If authentication methods depends on payment brand (payment
instrument),
we cannot send TpoBlk and AuthReqBlk cannot send at the same time.
I think brand independent authentication and brand depend
authentication
are necessary just like brand independent purchase and brand
dependent
purchase.
What do you think about it?
>>> I agree that authentication may depend upon payment brand. However
it is also possible that authentication is done using a method which
is independent of a payment brand using, for example, a pass phrase.
The point is that really the approach should be as illustrated in the
diagram below (view it in a fixed font).
CONSUMER MERCHANT
------------------Auth Method
| List
v
Consumer selects
Auth Method
|
v
Auth Method
Selection---------------
|
v
Merchant generates
Auth Request for
selected Auth Method
|
v
Authentication
---------------------Request
|
v
Consumer generates
Auth Response
|
v
Authentication
Response
|
-----------------------
|
v
Merchant checks
Auth. Response
In baseline it is assumed that the Authentication Method is known
since there is authentication method selection is not supported.
On a withdrawal, it is likely that the Consumer knows which brand of
electronic cash she wants to withdraw, therefore there the Financial
Institution (aka the Merchant) will know which method of
authentication to apply.
Therefore suggest that:
* in Baseline we:
* change "withdrawal with authentication" to work like a deposit in
that the brand of electronic cash being withdrawn and the payment (and
hence authentication method) protocol is known in advance
* leave "withdrawal without authentication" unchanged
* include authentication method selection as a possible enhancement
for version 2.0
<<<
Masaaki
-----
Masaaki Hiroya
Systems Development Laboratory
Hitachi, Ltd.
email: hiroya@sdl.hitachi.co.jp
tel: +81-44-966-9111
fax: +81-44-966-1796
<<application/ms-tnef>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [ietf-trade Home]
Powered by eList eXpress LLC