A mechanism for establishing policies for electronic commerce

The paper introduces a mechanism for establishing policies for electronic commerce in a unified and secure manner. A commercial policy can be viewed as the embodiment of a contract between the principals involved in a certain type of commercial activity, and it may be concerned with such issues as: ensuring that a payment for services is refunded under specified circumstances; preventing certificates representing e-cash from being duplicated; ensuring that credit card numbers are used only for the transaction they are intended for; and, for certain socially sensitive transactions like the purchase of drugs, ensuring auditability by proper authorities. Our mechanism is based on a previously published concept of law governed interaction. It makes a strict separation between the formal statement of a policy, which we call a "law," and the enforcement of this law, which is carried out by a set of policy independent trusted controllers. A new policy under this scheme is created basically by formulating its law, and can be easily deployed throughout a distributed system. This mechanism enables a single agent to engage in several different activities, subject to disparate policies. Two example policies are discussed in detail: one ensures refundability of payment under certain circumstances; the other provides for payment by means of non copyable tickets.