INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
February 1998
Expires August 1998
Mapping ISO 7812 Card Numbers into the Domain Name System
------- --- ---- ---- ------- ---- --- ------ ---- ------
Donald E. Eastlake 3rd
Status of This Document
This draft, file name draft-eastlake-card-map-01.txt, is intended to
be become an Informational RFC concerning utilization of the Domain
Name System (DNS) to support automated location of ISO 7812 financial
transaction identification card related facilities in the Internet.
Distribution of this document is unlimited. Comments should be sent
to the SET protocol development mailing list <set-dev@terisa.com> or
to the author.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet-
Drafts as reference material or to cite them other than as a
``working draft'' or ``work in progress.''
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (East USA), ftp.isi.edu (West USA),
ftp.nordu.net (North Europe), ftp.nis.garr.it (South Europe),
munnari.oz.au (Pacific Rim), or ftp.is.co.za (Africa).
Donald E. Eastlake 3rd [Page 1]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
Abstract
There are a variety of web pages, servers, and the like, which
holders of ISO 7812 based financial transaction identification cards
may need to locate on the Internet. For example, the SET protocol
being developed by VISA, MasterCard, and others assumes that a
cardholder can locate the appropriate certification authority to
obtain a cardholder certificate. This document proposes a method
using the DNS to locate financial transaction card related
facilities on the Internet by mapping ISO 7812 derived card numbers
into domain names within in the card.reg.int domain.
Disclaimers
The methods proposed herein are not, at the time of the issuance of
this draft, endorsed by the credit card brands or associations.
Acknowledgment
Suggestions from the following persons, listed in alphabetic order,
have been incorporated in this document and are gratefully
acknowledged:
Doug Beattie, Electronic Commerce Consultants
Brian Carpenter, IBM
Tony Lewis, VISA International
Donald E. Eastlake 3rd [Page 2]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
Table of Contents
Status of This Document....................................1
Abstract...................................................2
Disclaimers................................................2
Acknowledgment.............................................2
Table of Contents..........................................3
1. Introduction............................................4
1.1 SET CA Location........................................4
1.2 ISO 7812 Details.......................................5
2. Inverse Number Mapping and Wildcards....................6
3. Card Domain Names Specified.............................7
3.1 Card Brand and Issuer Pointers.........................7
3.2 SET Certification Authority (CA) Pointers..............8
3.3 Financial Institutions Not On Line.....................9
3.4 BIN Ambiguity..........................................9
4. card.reg.int Domain Maintenance Agency.................11
5. Security Considerations................................12
References................................................12
Author's Address..........................................13
Expiration and File Name..................................13
Appendix: Initial Brand Pointers..........................14
Donald E. Eastlake 3rd [Page 3]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
1. Introduction
Financial transaction cards such as credit cards and debit cards are
identified world wide by numbers issued in conjunction with ISO
standard 7812 [ISO 7812-1]. In general, the leading digits of such
card numbers, formally called the Issuer Identification Number (IIN),
indicate the issuing institution and the remainder of the number
identifies the individual cardholder. The institution prefix is
sometimes referred to as the BIN (Bank Identification Number),
although it applies to more than banks, and the entire number is
somtimes known as the PAN (Primary Account Number), even though these
numbers are also used for secondary and other account and
identification numbers. Card numbers are generally issued in
connection with "brands" such as VISA, MasterCard, American Express,
JCB, Discover, Dinners Club, Air Travel Card, etc.
There has been no automatic way, given a card number, to find any
Internet site related to the card issuer, the card brand, or other
card facilities. In particular, the SET protocol [SET] defined by
VISA, MasterCard, and others, defines a means for cardholders, when
required, to obtain X.509 like certificates to attest to the
cardholder's authenticity but does not specify how to locate the
appropriate certification authority. Other protocol may require that
other facilities based on card number be reached over the Internet.
A means of automatically mapping such identification numbers into
domain names in most cases means that as soon as a number is know
(due to user account number entry or selection for a list of previous
entered PANs, for example), the ability would be present to contact
facilities on the Internet for that card. Thus web browsers/wallets
could provide "go to card brand", "get a SET certificate", "go to
issuing bank", etc., buttons whenever an IS 7812 identification
number is known.
1.1 SET CA Location
The most urgent potential need is to locate SET Certification
Authorities.
In some cases, cardholders will be given URLs in mailings from the
card issuer or on their card itself. However, there will be other
cases, such as older cards that have not been updated to have a URL
or for which the URL has changed due to bank mergers or splits or a
previously registered card for which the certificate is expiring but
the card is still valid, when access to the current URL is
inconvenient. There may be cases where the URL has changed since a
card was printed due to DNS changes. Furthermore, in certification
authority interaction, the user will be required to supply their PAN
Donald E. Eastlake 3rd [Page 4]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
in any case and the requirement that they manually enter a URL means
additional effort and opportunity for error. (Note also that PANs
have a built in check digit to catch most typographical errors while
URLs do not.)
Similar consideration will apply to location of some other facilities
on the Internet.
1.2 ISO 7812 Details
Formally, ISO 7812 identification card numbers are divided as
follows:
1 2-6 7-v last
+-----+-------------------+-----------+-------------+
| MII | issuer identifier | | |
+-----+-------------------+ account # | check digit |
| issuer identification # | | |
+-------------------------+-----------+-------------+
| ISO 7812 identification number |
+---------------------------------------------------+
MII = Major Industry Identifier as follows
0 - for ISO/TC 68 and other industry assignments
1 - airlines
2 - airlines and other industry assignments
3 - travel and entertainment
4/5 - banking/financial
6 - merchandizing and banking
7 - petroleum
8 - telecommunications and other industry assignments
9 - for national assignment
If the number starts with 9, the next three digits are the numeric
country code as defined in ISO 3166 and the remainder of the number
are as defined by that national standards body for that country.
Account numbers are variable length up to a maximum of 12 digits.
The check digit is calculated modulo 10 by the Luhn formula over all
the preceeding digits as specified in ISO 7812.
Donald E. Eastlake 3rd [Page 5]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
2. Inverse Number Mapping and Wildcards
When numbers are allocated in lexically hierarchical blocks so that a
prefix or suffix of digits is a meaningful division, the DNS wildcard
feature can be used to provide a convenient lookup mechanism when the
numbers and prefixes/suffixes are variable length. In this regard, it
is important to remember that more specific names always override
less specific ones for DNS wildcards.
Domain names start with the most significant label on the right and
go to less significant labels as you go left while in card numbers
the leading or left most digits are the most significant while the
trailing or right most digits are less significant. Thus, the digits
must be reversed to match the card number and DNS naming systems and
the digits must be interspersed with dots to provide hierarchical
division into DNS domains.
Note that the transformed, reversed card number need not be exposed
to users but could be gnerated internally by software in an automatic
fashion.
For example, currently the American Express card brand is the only
one using numbers starting with 37. However, this is not a guarantee
for all time and it could be that at some future point some BIN
numbers starting with 37 would be assigned to a different brand. If
you are looking up card number 37012345678 (not a valid American
Express number), you could do a retrieval with a name like
3.2.1.0.7.3.xz (to avoid exposing the credit card, no more than six
digits may be included in the query). A wild card RR with the name
*.7.3.xz would match this and would appear in the response with its
name expanded to the specific name asked for, but only if there were
no more specific name. If there were a *.3.2.1.0.7.3.xz wild card,
for instance, it would always be chosen in preference to the *.7.3.xz
wildcard in this case because it is a more exact match. On the other
hand, if a retrieval were done for 7.7.7.7.7.3.xz, it would get the
more general *.7.3.xy wild card since it does not match the more
exact wildcard.
Donald E. Eastlake 3rd [Page 6]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
3. Card Domain Names Specified
Subdomains are defined within the card.reg.int domain for access to
the brand, the SET certification authority, and the card issuer.
Additional subdomains may be added if additional facilities
differently indexed by the card number require access.
To find a facility, you need to (1) get the BIN, usually by
truncating the identification number to its first six digits, (2)
reverse the order of these digits, and (3) put a dot between each
digit and add the appropriate facility suffix as shown below. The
financial transaction idetnfication number is always truncated to
avoid revealing the full number in the DNS queries.
Sections 3.1 and 3.2 give further details on the facilities
available, section 3.3 discusses what to do about banks which are not
on line, and section 3.4 discusses what to do if the BIN is too
specific or not specific enough.
None of the facility pointers obtained via these means need be
exclusive and these financial identification card related Internet
facilities may have other names and URLs that will also work. These
facilities are intended to supplement, not replace, the direct
communication of domain names and URLs from financial institutions to
their customers.
3.1 Card Brand and Issuer Pointers
The card brand and issuer home pages can be located by truncating and
reversing the number as above and appending ".brand.card.reg.int" or
".issuer.card.reg.int" respectively. A CNAME RR will be stored at
that name pointing to the actual domain name for the home page. A
CNAME is chosen, rather than having specific "A" RRs pointing to
host(s), "MX" RRs pointing to mail servers, etc., to minimize the
update load on the card.reg.int domain. Changes in the serving host,
mail servers, etc., need only be made under the facility's domain
name, which the CNAME points to, rather than also under card.reg.int.
For example, the brand for the card 551204..., a MasterCard card, can
be found by browsing at 4.0.2.1.5.5.brand.card.reg.int. and the
issuer for the card 471922..., a VISA card, can be found by browsing
at 2.2.9.1.7.4.issuer.reg.card.int. These names can be automatically
generated from a card number and need not be exposed to ordinary
users.
Appendix A shows possible initial content of the brand.card.reg.int
domain. There are relatively few brands and they are allocated to
moderately compact blocks of numbers with relatively few exceptions
Donald E. Eastlake 3rd [Page 7]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
not belonging to the block brand. So there will probably be under
1,000 entries in the brand.card.reg.int subdomain.
Since there are only a few tens of thousands of banks of significance
in the world for financial transaction cards, there should be well
under 100,000 entries in the issuer.card.reg.int subdomain.
Although at this time very large blocks of numbers are generally
allocated to brands (for example almost all card numbers starting
with 5 and 4 are MasterCard and VISA cards, respectively), numbers
within these large blocks can be carved out by more specific entries
for other brands where necessary.
3.2 SET Certification Authority (CA) Pointers
A very high level description of the cardholder certificate issuance
procedure in SET [SET] is for a cardholderCInitRequest initialization
message to be sent to the CA, an initialization response received,
then a registration form request to be sent and a registration form
returned which the user fills in. The completed registration form is
submitted in a certificate request message to which there is a
response which can include the certificate or indicate it will be
issued later or indicate a failure. The registration form response
message can also be a referral to another CA site rather than a
registration form.
The above sequence can occur over a variety of transports [SET-EIG]
including TCP and HTTP. TCP would be to the SET well known port 257,
unless some other port was mutually agreed on, but cardholder to CA
communication is normally expected to be HTTP. In HTTP, the sequence
is usually preceded by a kick-off message from the CA which is of
MIME type Application/Registration-Initiation which activates a SET
wallet.
There are three pointers provided in connection with CAs, one for the
CA general web page for browsing, one derived URL that can be hit to
produce the SET certificate issuance kick-off message, and a derived
URL that can be used to post the initial cardholderCInitRequest if a
kick-off cycle is not needed.
The certification authority home page can be found as described in
3.1 above for brands and issuers, except that the suffix is ".SET-
CA.card.reg.int". A CNAME will also be used in this subdomain. At
this time it is not clear in how many cases a certification authority
will correspond to a single BIN, to a brand, to blocks of BINs, or
even to part of a BIN (see section 3.4). Note that the wild card
mechanism can easily accommodate arrangements such as a default
certification authority for a brand with specific CAs for some BINs
Donald E. Eastlake 3rd [Page 8]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
within that brand.
To determine the URLs to hit for the SET certificate issuance wake up
message [SET-EIG], take the CA domain name as above, prefix it with
"http://", and suffix it with "/Registration-Initiation". For some
purposes, the wake up message may not be necessary. In that case,
the cardholderCInitRequest SET message [SET] can be POSTed directly
to a similar URL but with the suffix of /cardholderCInitRequest.
Suffix to Domain Name Action
/Registration-Initiation Certificate Request Wakeup
/cardholderCInitRequest SET msg to start cert. req.
Note that no explicit DNS retrieval is necessary. In initiating a
cardholder certificate application for card number 8765432109, you
mechanically transform the number into a URL and go. In this case
that would be, to start with a kick-off, <httl://3.4.5.6.7.8.SET-
CA.card.int/Registration-Initiation>.
3.3 Financial Institutions Not On Line
Some numbers are allocated to institutions that do not have a network
presence. To avoid inappropriate pointers for such institutions, it
will be necessary in some cases to add entries for such numbers which
are CNAMEed to "bank-not-on-line.card.reg.int" which will not exist.
Thus an appropriate error message will normally be generated. In
other cases, it may be possible for a brand to fill in for an issuer
or the like.
3.4 BIN Ambiguity
For the purposes of this document, the BIN is defined as the first
six digits of the account number. In many cases an issuer or
certification authority is defined by fewer digits. This is no
problem as a wild card can be used to match all extensions of this
shorter prefix. However, cases where six digits are insufficient
need special handling.
If multiple institutions have decided to share a BIN, there are
several ways it can be handled. For the issuer web page either (1)
the banks sharing the BIN can run a common web page with links to
their individual pages on it or (2) if they are all the same brand,
the brand can run such a multi-issuer referral page at the BIN or, in
some cases, at a higher level wildcard or (3) in the unlikely event
that they are different brands, the card.reg.int maintenance agency
Donald E. Eastlake 3rd [Page 9]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
(see section 4) can run a page providing access to the different
sub-BIN issuers. A multiple issuer home page could just have names,
icons, and links to the separate institutions or more complex
indexing if it covered many banks. While this problem in not
expected to arise for the brand.card.reg.int subdomain, similar
solutions apply if it does.
The cases where a URL is derived to access certification authority
facilities, and the BIN is ambiguous, are not logically different
from the home page case but use a different implementation. In
particular, instead of a human looking at a web page, we may have an
application trying to get a cardholder certificate. However, when
the registration process reaches the point of sending the CA a
registration form request, that request is accompanied (securely) by
the full identification number. The registration form response can
have, instead of a registration form, a referral to a different URL.
Thus, the "CA" could be simply a secure referral program that uses as
much of the identification number as it wishes, possibly more than
the fist six digits, to determine where to forward the cardholder
application. This referral CA could be, as in the home page case,
run by multiple banks or a brand or the card.reg.int maintenance
agency (see section 4).
Donald E. Eastlake 3rd [Page 10]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
4. card.reg.int Domain Maintenance Agency
For full operational deployment of the card.reg.int domain, a
maintenance agency for the DNS information, and possibly additional
delegated agencies for subdomains, will need to be identified.
A possibility is an existing company engaged in domain name
registration activities or a newly created organization for this
purpose. Also, the American Bankers Association (ABA) is the world
ISO 7812 registration agency and so is a natural possibility.
Funding for maintenance should not be a problem. Current going rates
for large scale domain registration are $35 (US) or equivalent (NSI
fee less 30% infrastructure fund deduction, rate change for
registration in multiple third level domains under .card.reg.int, it
is hard to see how the annual cost for domain registration could be
such that it would exclude any noticeable financial institution
wishing to participate.
Donald E. Eastlake 3rd [Page 11]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
5. Security Considerations
This document concerns a means to map ISO 7812 financial
identification numbers into the Domain Name System (DNS) so that card
related facilities on the Internet can be automatically located. The
security of the resulting pointers is dependent on the integrity of
the card.reg.int maintenance agency and the security of the DNS,
including the use of security extensions [RFC 2065]. However, note
that when used in connection with SET certificate issuance, the SET
security mechanisms provide strong protection against spoofing or
compromise of sensitive information even if DNS were subverted.
Care should be taken in making DNS queries that the entire
identification number is NOT used as this would expose the card
number within the Internet. No more than the initial six digits,
which constitute the BIN for the purposes of this document, can be
used.
References
[ISO 3166] - Codes for the representation of names of countries.
[ISO 7812-1] - Identification card - Identification of Issuers.
[RFC 1034] - Domain Names - Concepts and Facilities, P. Mockapetris,
November 1987
[RFC 1035] - Domain Names - Implementation and Specifications, P.
Mockapetris, November 1987.
[RFC 2065] - Domain Name System Security Extensions, D. Eastlake, C.
Kaufman, January 1997.
[SET] - Secure Electronic Transaction (SET) Specification, Version
1.0, May 31, 1997.
Book 1: Business Description
Book 2: Programmer's Guide
Book 3: Formal Protocol Definition
[SET-EIG] - External Interface Guide to SET Secure Electronic
Transaction, September 24, 1997.
Donald E. Eastlake 3rd [Page 12]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
Author's Address
Donald E. Eastlake 3rd
CyberCash, Inc.
318 Acton Street
Carlisle, MA 01741 USA
Telephone: +1 978 287 4877
+1 703 620-4200 (main office, Reston, VA)
FAX: +1 978 371 7148
EMail: dee@cybercash.com
Expiration and File Name
This draft expires August 1998.
Its file name is draft-eastlake-card-map-01.txt.
Donald E. Eastlake 3rd [Page 13]
INTERNET-DRAFT Mapping ISO 7812 Numbers into the DNS
Appendix: Initial Brand Pointers
This table shows the initial brand name pointers that might be
installed in the card.reg.int domain.
Initial Name CNAME
*.1.brand.card.reg.int www.air-travel-card.com
*.0.3.brand.card.reg.int www.dinersclub.com
*.8.8.0.3.brand.card.reg.int www.jcb.co.jp
*.9.6.0.3.brand.card.reg.int www.jcb.co.jp
*.1.3.brand.card.reg.int www.jcb.co.jp
*.3.3.brand.card.reg.int www.americanexpress.com
*.7.3.3.3.brand.card.reg.int www.jcb.co.jp
*.8.2.5.3.brand.card.reg.int www.jcb.co.jp
*.6.3.brand.card.reg.int www.dinersclub.com
*.7.3.brand.card.reg.int www.americanexpress.com
*.8.3.brand.card.reg.int www.dinersclub.com
*.4.brand.card.reg.int www.visa.com
*.5.brand.card.reg.int www.mastercard.com
*.1.1.0.6.brand.card.reg.int www.novus.com
(MasterCard actually only has numbers starting with 51, 52, 53, 54,
55, and 56 but until some other brand actually has cards issued with
a number starting with a 5, there is no reason to go to any more
detail in the wildcard.
Donald E. Eastlake 3rd [Page 14]