This secure version of NCSA Mosaic allows users to affix digital signatures which cannot be repudiated and time stamps to contracts so that they become legally binding and auditable. In addition, sensitive information such as credit card numbers and bid amounts can be securely exchanged under encryption. Together, these capabilities provide the foundation for a broad range of financial services, including the network equivalents of credit and debit cards, letters of credit and checks.

I doubt that these electronic financial instruments will be designed to offer new protections to individual privacy. As more commerce moves onto the net, opportunities for database linking will multiply drastically. In such an environment, electronic dossiers of buying and spending habits will be far easier to develop.

To effectively employ public-key cryptography, an infrastructure must be created to certify and standardize the usage of public key certificates. CommerceNet will certify public keys on behalf of member companies, and will also authorize third parties such as banks, public agencies and industry consortia to issue keys.

So once again we have the command-and-control style key certificate hierarchy. Everyone is neatly ordered and positioned in the structure. A place for everyone and everyone in his place.

Such keys will often serve as credentials, for example, identifying someone as a customer of a bank, with a guaranteed credit line.

I suppose it goes without saying that the kinds of privacy-protecting credentials we have been discussing are not what is being discussed here. Rather, we have more authentication, more registration, more tracking of every electronic financial move we make.

Significantly, all of the transactions involved in doing routine purchases from a catalog can be accomplished without requiring buyers to obtain public keys. Using only the server's public key, the buyer can authenticate the identity of the seller, and transmit credit card information securely by encrypting it under the seller's public key. Because there are fewer servers than clients, public key administration issues are greatly simplified.

Evidently the "commerce" that is being planned here does not anticipate much demand for encryption of messages from sellers to buyers; rather, the important thing is encryption in the opposite direction to protect those credit card numbers. This also, of course, limits RSA's financial commitment in making its technology available; my reading is that end-users get only the ability to validate signatures for free, and that getting to use their own keys will involve royalty payments.

Secure-HTTP enables incorporation of a variety of cryptographic standards, including, but not limited to, RSA's PKCS-7, and Internet Privacy Enhanced Mail (PEM), and supports maximal interoperation between clients and servers using different cryptographic algorithms.

I was pleased to see that in their later message they added support for PGP to this list, although it seems that they are still thinking mostly in terms of "officially sanctioned" systems:

Cryptosystem and signature system interoperation is particularly useful between U.S. residents and non-U.S. residents, where the non-U.S. residents may have to use weaker 40-bit keys in conjunction with RSA's RC2 and RC4 variable keysize ciphers.

This is outrageous! Where on earth did they get the idea that non-U.S. residents have access only to 40 bit keys and RC2/RC4? As though the only encryption the rest of the world has is whatever the U.S. government deigns to let cross its borders? What an insult to the rest of the world. And what an attempt at self-deception to pretend that these export controls are effective. I sincerely doubt that the international network community will accept such a limitation in what claims to be an international standard. The one good thing that may come from this initiative is that more people will be using and relying on encryption. Given the widespread skepticism about the government in this country, it will be that much harder to get a Clipper-like program into place. But the initiative does clearly show the pernicious effects of the combined restrictions of the RSA patents and the NSA export controls. Together [RN]SA provides a structured, ordered system which provides the minimal possible privacy necessary for electronic commerce. Far more is possible, but is un- likely under the current legal regime. Hal