Safe Tcl: A Toolbox for Constructing Electronic Meeting Places

Electronic commerce needs electronic meeting places to conduct business. To be useful, such meeting places must be safe for all participants and for hosts (owners of places). In this paper we discuss safety issues for participants and hosts. We then describe a system we are building, Safe Tcl, that will allow the construction of electronic meeting places with a range of safety properties. Safe Tcl has two attractive properties. First, it uses a simple security model based on ``padded cells’’ that allows participants to coexist and interact safely. Second, Tcl makes it easy to integrate the numerous facilities required in an electronic meeting place such as integrity verification and authentication. 1 The Problem Of Safety Electronic commerce, like human commerce, needs “safe places” where participants can meet to conduct business. The safety of a place can be measured by e.g.: Whether the host is protected against malicious or erroneous actions of individual participants. Whether participants are protected from each others’ malicious or erroneous actions, and whether participants can be coerced by other participants to release, against their free will or without their knowledge and agreement, valued resources they carry with them (including information). Whether participants are protected from the actions of the host, both malicious and erroneous. Tools for constructing safe meeting places for electronic commerce will become increasingly important as electronic commerce becomes more widely used. We believe that the basic security mechanisms for privacy, authentication, integrity checking and non-repudiation are relatively well understood. However, how to combine these mechanisms into higher level policies is less clear. Therefore, at this stage it is useful to create tools that allow experimentation and rapid prototyping as well as the construction and deployment of completed electronic commerce systems. Experience from human based commerce systems may be a useful guide in constructing electronic meeting and in choosing which tools to provide. We show how each safety problem identified above can be addressed in a computational context by drawing parallels from current common practice. Currently, the human host and participants are protected from malicious intent of a participant by ensuring that no coercion tools (weapons etc.) are brought into the meeting place. Without a means for coercion there is no way for one participant to force another participant to release valued resources (such as the $1 million they are carrying in a briefcase) or information they own. Also, without means for coercion, there is no way for one participant to coerce the host to deny service or subvert its service to another participant. The equivalent in computational systems is to place each participant (or group of mutually trusting participants) in a separate environment (``padded cell’’), thus restricting their ability to manipulate the state of other participants or the host. Functionality in an environment is restricted to remove any method for a participant inside the environment to harm another participant outside the environment. To enable communication between participants, environments are extended with controlled communication channels that only allow legitimate communication. Protecting a human participant from the host is currently achieved through insurance and liability based mechanisms. Upon entry into a meeting place the participant is at risk of being coerced by the owner of the place to divulge information or to part with valued resources. These risks can be ameliorated by insurance or liability shifting arrangements, or by bonding. Similar mechanisms can be implemented in an electronic commerce system: a third party can offer insurance covering aspects of electronic business such as compromise of a transaction or participant owned resources by a host. Since these mechanisms are based on authentication, integrity checking and privacy, a system that provides access to these building blocks suffices.