Time to Spend Electronic Money

Gary C. Kessler and Steve Shepard
April 1997

An edited version of this paper appeared with the title "Time to Spend Electronic Money" in the August, 1997 issue of Network VAR.

For the last several years, attempts to define electronic commerce have born a remarkable resemblance to Congress's attempts to define pornography during the final (and often frustrating) hearings on the Communications Act of 1996. While debating issues surrounding the identification and control of questionable programming on cable Television, one Congressional member observed that "We can't define it, but we know it when we see it." And while e-commerce is often mistaken for a mirage on the horizon, it has finally gained enough critical market mass that it is being taken seriously as a viable option to traditional commerce techniques. It is not a trivial undertaking: its successful implementation demands that companies look long and hard at their own business models.

As companies move to consider whether electronic commerce should be a part of their corporate game plan, they find themselves faced with three principal areas that they must consider if their foray into e-commerce is to succeed. These include general corporate issues, infrastructure issues, and security issues. Corporate and infrastructure issues are the most rigidly defined of the three; companies behave the way companies behave, and their supporting infrastructure (which may or may not include an electronic commerce sub-infrastructure) is built around and reflects that behavior. Security, then, must often wait for the dust to settle from the construction of the first two, then follow up with a protection mechanism tailored to the unique nature of each company.

Corporate Issues

Corporate Issues derive from the nature of the company's "business fabric," and of the three, are probably the hardest to change if deemed necessary. Taking into account such factors as market position, nature of the principal customer base, and corporate direction, corporate issues are rooted deep in the matrix of beliefs and behaviors that define a company. They include such things as:

Tactical vs. Strategic Positioning: Electronic commerce is a powerful strategic tool. All too often, however, it is looked at as just one more "payment option" with little regard for the profound manner in which it can position a company closer to their customer base. Remember Michael Porter's work on product differentiation: chances are that your product is a commodity, which means that the customer has purchase options. The law of primacy works: whoever gets there first, wins. The closer you can position your product to the customer, and the more innovatively you can do so, the better your chances of success. E-commerce is much more than a tactical payment option: its impact is potentially long-term and powerful.
Corporate Culture and Business Models: Again, corporate cultures and business models are highly intertwingled; each inevitably affects the other, and the implementation of an e-commerce option will affect them both. It changes the way companies behave, and changes the way they interact with their customers. Consequently, the decision to add e-commerce to a company's bag of tricks should be part of a planned strategy, and preferably the result of a planned strategy. It is not an end state; it is a means to an end. Companies that implement an electronic commerce web site or other option should do so after careful planning, because its effects will be far-reaching. In many cases, the company's reach into the market will change so drastically that a whole new business model will need to be defined; in some cases, corporate culture will change in cataclysmic fashion. Business as usual may go away, replaced by a whole new model of customer interaction.

Corporate organization also figures prominently in this scenario. The decision to support e-commerce must be made prudently, as there can be significant hardware, software, and personnel costs associated with the decision. If the implementing organization is large enough to support an MIS staff, they must be involved in the project from day one; smaller organizations may need to add support staff, which again represents a significant change in the traditional "everybody does everything around here" paradigm.
Cost Justification: Electronic commerce falls into the category of "Be careful what you wish for, because you might get it." Since the World Wide Web gives a company worldwide presence and exposure to a potentially global customer base, electronic commerce gives those global customers the ability to place orders — and therefore to affect business, sometimes in dramatic ways. Managers must ask themselves if they are ready for the onslaught that could occur if such a scenario were to take place. Too much business is a wonderful problem to have, but it can be catastrophic if improperly managed.
Vertical Market Segmentation: One factor that will allow e-commerce to succeed is the continued proliferation of businesses on the Internet/WWW, which will in turn provide a motivating factor for its use. Unfortunately, while many companies have a presence on the Web, few are using it as a commerce medium. The use density will increase, but until that time, successes will consist of a sporadic series of fits and starts. Until large businesses start doing business successfully on the Web, the vertical industries that support them will be sparse there as well. Some industry pundits see this challenge falling under the spell of the "Field of Dreams Effect," believing that "if we build it [the vertical industries], they [big business] will come." Whatever the case, a certain amount of "hurry up and wait" mentality is inevitable. Plan, therefore, accordingly.
Transnational Business: Multinational corporations (MNCs) are rapidly becoming more the norm than the exception in business today. As corporations redefine their markets to serve the world, they inevitably face a new set of challenges that stem from doing business globally. These include export restrictions, public policy concerns, transfer pricing, international taxation, trade barriers, protectionism, and a variety of others. Companies that implement e-commerce capability and that invite business from all corners of the world may be faced with a new set of challenges to deal with. In some cases there may be significant barriers to overcome; witness the current controversy over encryption software, a critical component of e-commerce, and whether it can be exported from the U.S. Under current law, it is classified as 'munitions' by the Department of Commerce, and is therefore carefully controlled.
Taxation: One particularly vexing issue that has yet to be decided is that of taxation enforcement. The ability to effortlessly and lucratively do business on the World Wide Web has caused federal and state tax authorities to prick up their ears with interest: they smell what they think is a new source of revenue. However, taxation of Internet commerce is to date a hands-off affair, much like the mail order catalog business in the United States. At some point the issue will be resolved, but as yet it is an unanswered question. The problem is exacerbated by the global nature of e-commerce; how can import duties be collected, for example, when the merchandise to be exported is a series of zeroes and ones?
Intellectual Property: Nicholas Negroponte observes in Being Digital that more and more, enterprises are making money by shipping bits around rather than by shipping atoms - a recognition of the fact that intellectual property is both a valuable commodity and a transactable one. Companies that are looking to do business on the Internet are therefore skittish about the safety of their product in such a wild and uncontrolled place. The degree of hysteria that exists over the perceived lack of appropriate security and safeguards on the Web is at an all time high; in fact, a significant barrier exists between consumers with money to spend and their willingness to do so on the Net. (We find it interesting that while most people are loathe to transmit credit card information over the Internet, those same people don't even blink when their credit card data goes zipping across the continent electronically, thanks to the magnetic stripe reader in the department store/restaurant/hotel).

Education plays an important role, and the better informed customers are about the relative safety of electronic commerce, the more willing they will be to try it. Education of the customers out there should be a matter of paramount importance for would-be electronic commerce implementers.
Payments: Closely related to intellectual property protection issues are those that revolve around getting paid. Organizations like EDIBANX, CommerceNet, Master Card/VISA, and others like them have gone to great lengths to not only secure the buy-in of key and influential players, but have identified the primary issues around which most concerns revolve. These include secure encryption and transmission standards, source and sink validation agreements, and non-repudiation guarantees, to name a few. Furthermore, such organizations have crafted a broad variety of payment techniques (discussed in another part of this article) which are both secure and imminently auditable. It must be remembered that e-commerce is still very much in its adolescence; it will be some time before large-scale, stable commercial infrastructures are in place on an Internet-wide basis.

Infrastructure Issues

Infrastructure Issues are closely related to their corporate cousins, and generally provide the underpinnings of corporate function. From the point-of-view of e-commerce implementation, infrastructure includes everything from physical network topology to details such as ordering, tracking, billing, and payment, as well as:

Standards: In this industry, we often observe that "the nice thing about standards is that there are so many to choose from." That is certainly true in the e-commerce realm, as EDI, SET, and a host of other would-be global standards jockey for pole position in the race to be first. The plethora-of-standards problem is not restricted to e-commerce, however; there are just as many battles going on in the Internet application realm. Market players are skittish, and rightly so; commerce is serious business, and no one is willing to take a chance on anything short of a sure thing.
Interoperability: A great deal of work has been done to develop good electronic commerce components including ordering, billing, tracking, and payment software; computer and network components; secure transaction sets; search engines; network management systems; and a variety of cybercash models. Comparatively little has been done, however, to ensure interoperability between all these disparate components. Many solutions remain proprietary, but as globalization continues and the need for interoperability grows, these vendor-specific solutions will disappear in favor of open standards.
Route Discovery: Being lost in the wilderness is not particularly fun, but that's the way potential customers can feel as they try to navigate their way through the maze of the Net to your site. The Internet is a dazzling array of information, ripe for the picking. But in its success lie the seeds of its own destruction, for so broad and diverse is the information that the ability to find a single, specific site successfully can be haphazard at best. The interworking that must be perfected between browsers, directory structures, agent software and a plethora of information sources is still in a seminal state, and will be for the foreseeable future. However, significant effort is being expended to make it happen, as this process lies at the heart of e-commerce's success.
Performance: Equally problematic for customer and provider alike is congestion at the host (information source) and in the network. Companies that are planning to implement electronic commerce as a means for their customers to reach them must ensure that alternative means are also available, because unlike the telephone, the fax machine or surface mail, there is as yet no guarantee of service on the Internet/Worldwide Web. Discrete network management skills can help to ensure that congestion is localized and temporary, thus minimizing the impact on the customer.
Personnel: While qualified technical personnel are required in companies implementing e-commerce to ensure that the physical infrastructure works properly, companies also need employees with commerce knowledge, customer service skills, business acumen, security skills, and marketing know-how. In the same way that a physical sales environment needs all of these skills at one time or another, so too does the cyber store.

Security Issues

Security Issues distill from the resolution of corporate and infrastructure concerns. Once the organization has reconciled itself to the fact that e-commerce is a reality and that its arrival will force cultural and business process changes and has put into place the necessary infrastructure improvements and modifications to ensure its success, then the security front line can be created. Security personnel must consider password protection, digital signature management, and deployment of smart cards (if merited), as well as logical and procedural considerations such as firewall permeability, the relative responsibilities and liabilities of partners (including network providers and ISPs).

In the real world, there are just a few ways of exchanging money; namely, cash, checks, credit cards, or debit cards. In cyberspace, however, there are well over a dozen different payment mechanisms, some commonly employed, others still experimental.

But there is another fundamental difference between commerce in the real world and in the cyber world; specifically, the element of trust. When I go to a store to purchase goods, I present myself and my payment method. Repeat business is rewarded by less hassle and fewer questions when I use a personal check. Even mail-order houses learn more about me as I place more orders. In cyberspace, however, both the customer and the vendor have difficulty identifying themselves to each other with certainty, particularly during a first transaction. How does the buyer securely transmit sensitive information to the seller? How does the seller know that this is a legitimate purchase order? How do both parties know that a nefarious third-party hasn't copied and/or altered the transaction information?

These questions, and others, describe the problems affecting business transactions over the Internet, or any public network. Customers (clients) need to be sure that:

They are communicating with the correct server.
What they send is delivered.
They can prove that they sent the message.
Only the intended receiver can read the message.
Delivery is guaranteed.

On the other side, vendors (servers) need to be sure that:

They are communicating with the right client.
The content of the received message is correct.
The identity of the author is unmistakable.
Only the author could have written the message.
They acknowledge receipt of the message.

The cryptographic algorithms and protocols to perform these functions have existed have been employed for years. What is needed specifically for Internet-based electronic commerce is the end-to-end, international infrastructure to support secure electronic communication. The next sections will discuss this topic in more detail.

Overview of Cryptography

Cryptography is the science of writing in secret code. For purposes of telecommunications and electronic commerce, cryptography is necessary when communicating over any untrusted medium, such as the Internet. Cryptography not only protects data from theft or alteration, but can also be used for message integrity and authentication.

When describing cryptographic schemes, the initial data is referred to as plaintext and the encrypted plaintext is called ciphertext; some form of key is usually employed to transform the plaintext into ciphertext. In general, there are three basic types of cryptographic schemes, categorized by the number of keys: secret key (or symmetric), public-key (or asymmetric), and hash functions.

                key                           key
plaintext -----------------> ciphertext -----------------> plaintext

a) Secret key (symmetric) cryptography using a single key for both encryption and decryption.


              one key                      other key
plaintext -----------------> ciphertext -----------------> plaintext

b) Public key (asymmetric) cryptography using two keys, one for encryption and the other for decryption.


            hash function
plaintext -----------------> ciphertext

c) Hash functions have no key since the plaintext is not recoverable from the ciphertext.

FIGURE 1. Three different types of cryptographic algorithms.

In secret key cryptography, a single key is used for both encryption and decryption. The sender applies the key, or a set of rules, to the plaintext to create the ciphertext, transmits the encrypted message, and the receiver applies the same key to decode the message (Figure 1a). Because a single key is used for both functions, secret key cryptography is also called symmetric encryption. The biggest difficulty with this approach, in fact, is the distribution of the key since both sender and receiver must share it.

There are several widely used secret key cryptography schemes, categorized as either block ciphers or stream ciphers. A block cipher is so-called because it encrypts blocks of data at a time; the same plaintext block will always be encrypted into the same ciphertext. Stream ciphers operate on a single bit, byte, or word at a time, and implement a feedback mechanism so that the same plaintext will yield different ciphertext every time it is encrypted.

The most common secret-key encryption scheme used today is the Data Encryption Standard (DES), designed by IBM in the 1970s and adopted by the National Bureau of Standards (NBS; now the National Institute for Standards and Technology, or NIST) in 1977 for commercial and unclassified government applications. DES is a block-cipher that works on 64-bit data blocks and uses a 56-bit key. A 128-bit key was also proposed but rejected at the time by the government, although the use of 128-bit keys is under consideration at this time. Other secret-key cryptography schemes in use today include Triple-DES (variants of DES that use either two or three keys), International Data Encryption Algorithm (IDEA), Kerberos, RC4, and RC5.

Public-key cryptography was invented in 1976 by Martin Hellman and Whitfield Diffie of Stanford University to solve the key exchange problem associated with secret-key cryptography. This scheme requires two keys, where one key is used to encrypt the data and the other key is used to decrypt the ciphertext. It does not matter which key is applied first, but both keys are required for the process to work (Figure 1b). Because a pair of keys are required, this approach is also called asymmetric cryptography. One of the keys is designated the public key and may be advertised as widely as necessary. The other key is designated the private key and is never revealed to another party. It is straight forward to send messages under this scheme. A sender can encrypt their data using their own private key and the receiver can decrypt the ciphertext using the sender's public key (this presumes that a mechanism is in place so that the receiver can identify the sender).

The most commonly used public-key algorithm today is RSA, named for its inventors Ronald Rivest, Adi Shamir, and Leonard Adleman. The RSA scheme can be used for key exchange, as well as encryption. The RSA key-pair is derived from a large number, n, which may be several hundred digits in length, that is the product of two prime numbers chosen according to special rules. The "public key" includes n and a derivative of one of n's factors; this information is sufficient to encrypt a message but not to derive the private key.

In 1991, NIST proposed a new public-key scheme, called the Digital Signature Standard (DSS), which happens to be incompatible with RSA. At this time, it appears that the commercial market will continue to use RSA and unclassified government systems will migrate to DSA.

Finally, hash functions are encryption algorithms that use no key. Instead, hash functions, also called message digests and one-way encryption, apply an irreversible mathematical transformation to the original data so that (Figure 1c) the plaintext is not recoverable from the ciphertext, there is a very low probability that two different plaintext messages will result in the same ciphertext, and the length of the ciphertext is fixed so that even the size of the plaintext cannot be derived.

Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used as part of a service that ensures that the file has not been altered. They are also commonly employed by many operating systems to store passwords, so that the password is never kept on a system in plaintext form. Common hash functions in use today include the Internet Engineering Task Force's Message Digests (MD2, MD4, MD5) and NIST's Secure Hash Algorithm (SHA).

Why Three Encryption Techniques?

A public key infrastructure (PKI) will provide the set of cryptographic services and procedures to support secure communication, using international standards and the public Internet. Specific tasks necessary to support secure transactions include:

Authentication, the process of proving one's identity. In an e-commerce environment, the client and the server must each prove to the other that they are who they purport to be. The Internet today uses name-based or address-based schemes as the primary form of host-to-host authentication.
Privacy, or confidentiality, to ensure that no one can read the message except the intended receiver.
Integrity, to ensure that the message has not been altered.
Authorization, to ensure that only users or hosts with permission access the service provider's servers and other network resources.
Non-repudiation, the ability to prove that the sender really sent this message.

                                            ===================
                                            |                 |
----------          ------------            |   -----------   |
|Sender's|          |Asymmetric|            |   | Digital |   |
|Private |--------->|Encryption|------------|-->|Signature|   |
|  Key   |          | Process  |            |   |         |   |
----------          ------------            |   -----------   |
                         ^                  |                 |
                         |                  |                 |
----------          ------------            |                 |
|SENDER'S|          |   Hash   |            |                 |
|MESSAGE |----+---->| Function |            |                 |
|        |    |     |          |            |    Digital      |
----------    |     ------------            |    Envelope     |===========>
              |                             | +++++++++++++++ |  Sent to
---------     |     ------------            | + ----------- + |  receiver
|Random |     ----->|Symmetric |            | + |ENCRYPTED| + |
|Session|           |Encryption|------------|-->| MESSAGE | + |
|  Key  |------+--->| Process  |            | + |         | + |
---------      |    ------------            | + ----------- + |
               |                            | +             + |
------------   |    ------------            | + ----------- + |
|Receiver's|   ---->|Asymmetric|            | + |Encrypted| + |
|  Public  |        |Encryption|------------|-->| Session | + |
|   Key    |------->| Process  |            | + |   Key   | + |
------------        ------------            | + ----------- + |
                                            | +++++++++++++++ |
                                            |                 |
                                            ===================

FIGURE 2. Sample application of the three cryptographic techniques for secure communication.

Figure 2 shows how these different cryptographic schemes might be used together to create a secure message. The scenario shown here is only an example; not all of these steps are performed in all cryptographic environments:

Symmetric encryption is used to encrypt messages. The sender generates a random session key on a per-message basis; the key and the original message are used to generate an encrypted form of the message. The receiver will use the same session key to decrypt the sender's message.
Hash functions are used for data integrity; in this scenario, any change to the contents of the message will result in the receiver calculating a different hash value than the one sent by the sender. Since two messages will almost never yield the same hash value, this value is sometimes called a digital fingerprint.
Asymmetric cryptography can be used for several functions:
- Key Exchange: The session key can be encrypted using the receiver's public key; the encrypted message and encrypted session key together form the Digital Envelope. Upon receipt, the receiver can recover the session key and, therefore, the original plaintext message, by applying their own private key.
- Digital Signature: The hash value can be encrypted with the sender's private key, forming a Digital Signature. Upon receipt, the receiver recovers the hash value by decrypting with the sender's public key. After decrypting the original message, the receiver applies the hash function and if the resultant hash value disagrees with the transmitted value, then the receiver knows that the message has been altered.
- Non-repudiation: If the hash value recovered by the receiver using the sender's public key indicates that the message has no errors, then only the purported sender could have created the Digital Signature.

**TABLE 1. Some commonly employed crytosystems for secure transactions.**
Name	Description
Capstone	U.S. government scheme for public cryptography that can be implemented in one or more tamper-proof computer chips, and comprises a bulk encryption algorithm (Skipjack), digital signature algorithm (DSS), and hash algorithm (SHS).
PCT (Private Communication Technology)	Developed by Microsoft and Visa; supports Diffie-Hellman, Fortezza, and RSA for key establishment; DES, RC2, RC4, and triple-DES for encryption; and DSA and RSA message signatures. A companion to SET.
SET (Secure Electronic Transactions)	Based on SEPP (Secure Electronic Payment Protocol), an open specification for secure bank card transactions over the Internet, developed by CyberCash, GTE, IBM, MasterCard, and Netscape, and STT (Secure Transaction Technology), a secure payment protocol developed by Microsoft and Visa International; supports DES and RC4 for encryption, and RSA for signatures, key exchange, and public-key encryption of bank card numbers. SET is a companion to the PCT protocol.
S-HTTP (Secure Hypertext Transfer Protocol)	An extension to HTTP for secure communication over the World Wide Web; supported algorithms include RSA and Kerberos for key exchange, DES, IDEA, RC2, and Triple-DES for encryption.
SSL (Secure Sockets Layer)	Developed by Netscape Communications to provide application-independent secure Internet communication; uses RSA is during negotiation to exchange keys and identify the actual cryptographic algorithm (DES, IDEA, RC2, RC4, or RSA) for the session and MD5 for message digests.

There are a number of cryptosystems in use today that provide this breadth of function (Table 1). It is important to observe that secrecy is not the essence to good cryptography. In fact, the best algorithms are those that are well-publicized because they are also the ones most scrutinized. Consumers, in fact, should be wary of products that use proprietary cryptography schemes; security through obscurity is almost always destined to fail.

Public Key Certificates and Certification Authorities

Cryptography can solve the business-related issues described above, but they do not alone address the trust relationship that must exist between a customer and vendor. How, for example, does one site obtain another party's public key? How does a recipient determine if a public key really belongs to the sender? How does the recipient know that the sender is using their public key for a legitimate purpose for which they are authorized? When does a public key expire? How can a key be revoked in case of compromise or loss?

Communicating parties cannot have a comfortable electronic relationship unless they both have confidence that they both know who they are talking to, what each is authorized to do, what is being said, when it is being said, and that the conversation is private. The PKI approach to resolve these issues involves certificates.

The basic concept of a certificate is one that is familiar to all of us. A driver's license, credit card, or pilot's license, for example, identify us to others, indicate something that we are authorized to do, have an expiration date, and identify the authority that granted the certificate.

For purposes of electronic transactions, certificates are digital documents. The specific functions of the certificate include:

Establish identity: Associate, or bind, a public key to an individual, organization, corporate position, or other entity.
Assign authority: Establish what actions the holder may or may not take based upon this certificate.
Secure confidential information (e.g., encrypting the session's symmetric key for data confidentiality).

FIGURE 3. BBN-issued certificate as viewed by Netscape Navigator.

Typically, a certificate contains a public key, a name, an expiration date, the name of the authority that issued the certificate (and, therefore, is vouching for the identity of the user), a serial number, any pertinent policies describing how the certificate was issued and/or how the certificate may be used, the digital signature of the certificate issuer, and perhaps other information. A sample abbreviated certificate is shown in Figure 3.

**TABLE 2. Contents of an X.509 V3 certificate.**
version number certificate serial number signature algorithm identifier issuer's name and unique identifier validity (or operational) period subject's name and unique identifier subject public key information standard extensions certificate appropriate use definition key usage limitation definition certificate policy information other extensions Application-specific CA-specific

TABLE 2. Contents of an X.509 V3 certificate.

version number
certificate serial number
signature algorithm identifier
issuer's name and unique identifier
validity (or operational) period
subject's name and unique identifier
subject public key information
standard extensions
	certificate appropriate use definition
	key usage limitation definition
	certificate policy information
other extensions
	Application-specific
	CA-specific

The most widely accepted certificate format is defined in Recommendation X.509 from the International Telecommunication Union Telecommunication Standardization Sector (ITU-T). Rec. X.509 is a specification used around the world and any applications complying with X.509 can share certificates. Most certificates today comply with X.509 Version 3 and contain the information listed in Table 2.

A certificate authority (CA), then, is any agency that issues certificates. A company, for example, may issue certificates to its employees, a university to its students, a retailer to its customers, an Internet service provider to its users, or a government to its constituents. Major trusted third-party CAs today include AT&T, BBN, Canada Post Corp., CommerceNet, GTE CyberTrust, MCI, U.S. Postal Service, and VeriSign; this list is not exhaustive and is sure to grow over time.

One major feature to look for in a CA is their identification policies and procedures. When a user generates a key pair and forwards the public key to a CA, the CA has to check the sender's identification and takes any steps necessary to assure itself that the request is really coming from the advertised sender. Different CAs have different identification policies and will, therefore, be trusted differently by other CAs. Verification of identity is just of many issues that are part of a CA's Certification Practice Statement (CPS) and policies; other issues include how the CA protects the public keys in its care, how lost or compromised keys are revoked, and how the CA protects its own private keys.

While certificates and the benefits of a PKI are most often associated with electronic commerce, that term itself begs for a formal definition. While electronic commerce, and commerce over the Internet in particular, is a motivating factor for PKI and CA work, the applications for PKI are much broader, and include secure electronic mail, payments and electronic checks, Electronic Data Interchange (EDI), secure transfer of Domain Name System (DNS) and routing information, electronic forms, and digitally signed documents.

While a single "global PKI" is still many years away, that is the ultimate goal of today's work as international electronic commerce changes the way in which we do business in a similar way in which the Internet has changed the way in which we communicate.

Conclusion

Because of the enormous visibility that companies have on the Internet economic stage, it is incumbent upon them to exercise significant responsibility to educate their immediate customers specifically and the market in general. There is a great deal of hysteria, hype, and myth associated with electronic commerce, just as there always is with something new, especially something new that involves money. The ultimate goal must be to replace hysteria, hype and myth with reasonable concern, trust, and knowledge. Then and only then will e-commerce become a force to be reckoned with.

SIDEBAR: FOR MORE INFORMATION:

CommerceNet: PKI and EDI (http://www.commerce.net)
NIST's "A Framework for Global Electronic Commerce" (http://www.iitf.nist.gov/eleccomm/glo_comm.htm)
Electronic commerce and EDI (http://www.premenos.com/)
The Software Industry Coalition's Digital Signature Information and Legislation Page (http://www.softwareindustry.org/issues/1digsig.html)
Electronic Payments Forum (http://www.epf.net/epfhome)
RSA Lab's Cryptography FAQ (http://www.rsa.com/rsalabs/faq/home.html)
Additional e-commerce pointers from Gary and Steve (http://www.garykessler.net/library/ecommurl.html)

ABOUT THE AUTHORS: At the time of this article's publication, Gary Kessler was the Director of Information Technology at Hill Associates, a telecommunications training and education firm headquartered in Colchester, VT. He has written over 50 papers for industry publications and is co-author of ISDN, 4th. edition (McGraw-Hill, 1998). Steven Shepard is a Senior Member of Technical Staff at Hill Associates. He is the author of Managing Cross-Cultural Transition: A Handbook for Corporations, Employees, and Their Families (Aletheia Publications, 1998) and A Spanish/English Dictionary of Telecommunications Terms (CRC Press, in press).