From: guthery@austin.sar.slb.com
Date: Wed, 25 Oct 95 01:20:25 PDT
To: rah@shipwright.com
Subject: IT View of Worldwide Electronic Commerce Conference
Message-ID: <9510250820.AA05781@asterix>
MIME-Version: 1.0
Content-Type: text/plain


Robert Hettinga wonders ...

>Did anyone go to the
>
>"Worldwide Electronic Commerce Law, Policy, Security and Controls Conference" ?
>
>It was in Bethesda October 18 - 20.
>
>Just curious. Sponsored by a lot of Big Cheese (ABA, HLS, NIST, UNCITL,
>SPA, ETC, ETC, ETC).

I did and here's a view from IT; i.e. not law or marketing.  The conference
was two-track so by definition I only attended 1/2 the sessions.

The high points ...

	- the Web will support commerce next year from modest (multi-$1,000)
          down to micro (sub-penny) transactions

	- the U.S. Government is trying to trade 64-bit keys for
          escrow but folks aren't buying it;  Dorthy Denning gave
          a very weak "the sky is falling" talk.

	- Intel is building systems and secure infrastructure software; 
          Microsoft may start to feel trapped between Intel and Netscape.

	- current copyright law seems up to the task of handling the Web but
          contract law may need some updating

	- iris scanning seems to be the leading biometric; there is a PCMCIA 
          card that does fingerprints including pores which I learned are 
          better than ridges for identification

	- nobody had any insight on transnational data flow, encrypted
          or otherwise

	- Verisign (a spin-off of RSA) is selling Digital IDs and running a 
          Certification Authority; see

                    http://www.verisign.com

        - the Swedes have a very aggressive Digital ID system on the air;
          see
                    http://www.cost.se

	- X.509 seems to be the de facto and de jure certificate standard;
          current work is at ftp://NC-17.MA02.Bull.com in
          /pub/OSIdirectory/Certificates

	- RSA for encryption and DSA for signatures were the encryption
          technologies of preference;  PGP was occassionally acknowledged 
          to be one of the best available but strangely went undiscussed.

          Good quote: "Commercial DES (for export) with 40 bit keys is a 
                       joke. Don't even think about it."

        - other relevant URLs:
                 www.ms.com
                 www.terisa.com
                 www.ssa.gov

Most of the security focus of the conference was on authentication.