Re: VASC launches new e-commerce products

Hello Nam,

glad to see you posting here, and a very informative post too. :)
Keep it coming!

AFAIK, IncomBank needs a "Payment Gateway", which brings the CreditCard
Data from the Internet to the Banking-internal Network, and the responses
back to the Internet. This requires usually a secure Webserver, which
could/should be run by VASC. The required certificate for that secure
webserver they could buy IMHO from Thawte, VeriSign, SecureNet, etc.
Browsers would accept that without any alarm or similar. No need for
issuing their own certificate ("their own money").

One more issue: How come those hype press stories always? Are the press
releases not clear, or even over-stating? Or do the reporters not
understand the issues? Or do the stories get bigger through the
translation? Or all of them? ;)

If somebody does not know much and/or cannot check the issues, they have to
believe, that VASC (or a number of similar companies) are really great. For
those who can check, after a while, they don't take VASC's (and Co) press
releases seriously anymore, because there is nearly always so much wind,
and very little substance.

Cheers,
Stefan

At 00:15 03.05.2002 +0000, Nam Tran wrote:
-------------------------

>Good points there, Stefan and Viet. I think what's being attempted here is
>to provide a technical infrastructure for secure internet transactions. Of
>course such an infrastructure is a lot more complicated and necessarily
>linked with a legal infrastructure. It's good start although much more
>modest than what the press is describing.
>
>To answer some questions. VASC does intend to provide certificates, not
>just the CA software, which by the way I doubt they develop themselves. To
>build a PKI (including a CA), the logistical issues are more complicated
>than just building the software. There're good "free" PKI software.
>
>A good setup for Vietnam would be to have a national PKI infrastructure
>where a top-level CA run by some ministry level entity, may very well be
>VNPT & Ministry of Public Security, forms the root of the hierarchy. This
>infrastructure must have backing of appropriate legislations that govern
>how a CA is run, what are the values of the certificates issued, etc. (the
>Certification Policy Statement (CPS) of a CA is the important factor.) The
>top-level CA should then be recognised by top-level CA of other countries
>(by cross certification of their own certificate) for cross-border
>interoperation. Perhaps eventually all popular browsers would have root
>certificates of all countries' top-level CA's embedded.
>
>What VASC has done is practical to some extent in that they can have their
>own self-signed certificate as the root certificate. This certificate must
>be recognised as legitimate by all of their customers, including service
>providers such as banks, merchants, and end-users. For a user with a
>browser, this is equivalent to accepting that the self-signed certificate
>is valid and optionally install it in the browser so that no validation is
>required next time. The scope of this validity is their own community of
>users only.
>
>The payment software VASC announced I think is very much a demo prototype.
>I can see it's still using demo certificate of BEA's WebLogic. And until a
>bank is involved, and the necessary software link is built between the
>bank's system with VASC's so-called payment gateway, it's quite useless. I
>guess strategic partnership with banks may be announced by VASC soon. Then
>a service by some merchant, possibly VNPT itself for phone bill payment,
>would follow. However, for a useful service to come into use, it'll take
>quite a while and much more than those over-hyped announcements, I think.
>
>Regards,
>
>Nam