[ic] Re: User options

Toni Mueller support-ic at oeko.net
Wed May 10 04:20:49 EDT 2006


Hello Bill, hello Peter,

On Thu, 06.04.2006 at 09:51:21 -0400, Bill Carr <bill at worldwideimpact.com> wrote:
> On Apr 5, 2006, at 11:08 PM, Peter wrote:
> >On 04/05/2006 07:18 PM, Bill Carr wrote:
> >That's a really tough one.  The best way to go is to store the data  
> >encrypted on one server, then allow that server access to another  
> >server which will have the necessary private key to unencrypt the  
> >data and push the transaction through the credit card processor  
> >(but does not store the data post transaction), then you can keep  
> >the encrypted data seperate from the key required to unencrypt it.   
> >There are probably other ways to do this, that is just one way that  
> >comes to mind.

I think this is a bad idea. If the customer (the shop server) can
decrypt the card details, the attacker can do it, too. So you gain
nothing except for a second computer.

> It has been a burden for us to walk our customers through setting up  
> their PGP keys. We have been using Windows Privacy Tools. Our  
> customers are mostly non-technical and often get confused by the  
> process. Almost all of them are on Windows. We are also limiting them  
> to using Outlook Express for e-mail because there is a WinPT plugin  
> for it. What are some easier ways to get non-technical, remote users  
> setup with PGP?

Try to set them up using Thunderbird (or SeaMonkey) plus Enigmail plus
GnuPG which is *MUCH* better for PGP usage. For one, it can do
PGP/MIME, and you will transparently see the contents of your
PGP-encrypted attachment much in the same way that you get to see an
attached PDF in your email - you still need to enter the passphrase,
however.

If you want to see the credit card number in the admin screens, then
you need to de-couple the real shop and the admin screen to run on
different machines, and prevent the shop server from ever accessing the
admin server where you need to have the private key for backend usage,
in addition to having extra hard security on that box to prevent it
from being cracked.


FWIW, WinPT uses the Windows clipboard and can therefore be used
together with any email program.


Best,
--Toni++



More information about the interchange-users mailing list