Discussion Notes

Internet Commerce Group

November 12, 1996

Gary Sabala led our discussion today on the topic of Internet security. In particular, we discussed the history and development of the Secure Electronic Transaction standard (SET). We also discussed some of the barriers to security, including government regulations, and we tried to look at the process from a customer's viewpoint.

SET Development

Many companies have been working for a few years to establish security protocols for transactions on the Internet. The development efforts were typically very proprietary, and no clear standard or benchmarks had been generally accepted. This is still true to a large degree in many areas of security, but cooperation between Visa, MasterCard, Microsoft, and Netscape did result in the SET standards.

The companies were not initially allied. Visa and MasterCard were partnered with Microsoft and Netscape respectively, and both teams were pursuing different protocols. Fortunately the companies eventually collaborated and agreed to a unified standard.

Customer Interface

The SET standard allows data to be encrypted for transmission. A consumer is given a public "key" that is used to encrypt data. Visa and MasterCard both have private keys that can then decode data.

To use the system, people will need software on their PC to handle the encryption. Visa or MasterCard will be responsible, they say, for insuring that companies offering these transactions are reputable. What that means for consumers if a they are victimized by a merchant is very unclear as these are obviously untested waters. Visa and MasterCard are both reputed to be guaranteeing the transactions, so any loss due to data theft is their responsibility. Once again, it is not entirely clear how this policy will unfold. How do you prove you did not order the Jaguar when nobody had to sign?

Other Topics

We also talked briefly about some other security measures for the Internet. Some examples covered features of firewalls to limit access to legitimate users and the coming tunneling protocols for secure data routing.

Our last short topic was government involvement in security issues. The ban on export of 128bit systems for "national security" was mentioned. Also mentioned was the recent news that Microsoft and others have tentative government support for a very secure architecture that could be exported.