SET Draft Reference Implementation, Version 1.0
Release Notes        						30-Jun-1997

Copyright (C) 1996, 1997, Visa International Service Association
and MasterCard International Incorporated.
All Rights Reserved.

OVERVIEW
========

Welcome to the SET Draft Reference Implementation, Version 1.0
(SETREF v1.0). The SET protocol was developed by MasterCard International,
Visa International, and their technology partners (GTE, IBM, Microsoft,
Netscape Communications Corp., SAIC, Terisa Systems and VeriSign).

RELEASE OVERVIEW
================

SETREF provides the source code to a preliminary low-level
implementation of the SET v1.0 protocol, suitable for developers who wish
to gain experience with the SET protocol by examining actual source
code.

License restrictions prevent the inclusion of cryptographic
libraries at this time.  In order to build and run the demo programs,
the BSAFE cryptographic library must be obtained through other means.

What's included
---------------

* Low-level implementation of payment and registration flow messages, 
  including batch, credit, reversal, and inquiry messages.

* Command-line demonstration program illustrating sample payment and 
  registration flows.

* SET "Version 1" compatibility

* Web-based demonstration programs illustrating a sample payment flow.

* Sample SET certificate chains for cardholder, merchant, and acquirer
  payment gateway.

* Documentation, in HTML form.

What's yet to come
------------------

A number of features are slated for later releases:

* BrandCRLIdentifier processing

* Sample CRLs

* Automatic Trusted Root rollover

Interoperability notes
----------------------

SETREF provides "over-the-wire" conformance to the current specification
of the SET protocol, both in structure and in cryptographic treatment
of messages.  Because of the conformance to the SET ASN.1 and
cryptographic processing rules, SETREF is structurally and
cryptographically interoperable with other implementations of the
SET protocol.  Structural interoperability implies that protocol messages
encoded by this implementation are decodable by other implementations
and vice versa.

Platforms
---------

SETREF was built and tested under SunOS 4.1.3 and Windows 95 (the latter
with Microsoft's Visual C++ 4.1).

Documentation
-------------

The documentation resides in the directory setref/doc/draft/html and
consists of a Theory of Operation, Implementor's Guide, and API
Reference Guide.  The root page for the documentation is
setref/doc/draft/html/index.html.

Building
--------

SETREF is distributed in the following files:

   For SunOS 4.1.3:
        setref_v1_0.tar.gz

   For Windows:
        setref_v1_0.zip

1. If you have received the Windows distribution on two floppy disks, you
   need to restore the setref_v1_0.zip file for Windows as follows:

   On Windows:
        It is distributed on two floppy disks.
        Extract setref_v1_0.zip.1 from one floppy and
        setref_v1_0.zip.2 from the other.  Using the MS-DOS prompt, do 
        the following to restore the setref_v1_0.zip file:
            copy /b setref_v1_0.zip.1+setref_v1_0.zip.2 setref_v1_0.zip

2. Unpack the setref_v1_0 distribution.

   On SunOS 4.1.3:
	gunzip -c setref_v1_0.tar.gz | tar xf -

   On Windows:
        Open WinZip on setref_v1_0.zip and use the "Extract" button to
        unpack it.

You will see the top-level "setref" directory containing the following
files and directories: 

    Makefile
    ReleaseNotes.txt (this file)
    a2c
    alloc_ctx
    asn1
    bsupport
    certs
    common
    demo
    doc
    error_ctx
    glue
    io_ctx
    kdb
    keydata
    make
    ops
    pkcs7
    setcert
    set_msg
    setref_util
    store
    test
    util
    webdemo

3. Install the BSAFE cryptographic library (this library is not
   distributed with SETREF).

   SETREF assumes that the bsafe30 directory has the following
   structure. It is identical to the structure that the RSA Data
   Security, Inc. BSAFE 3.0 binary distribution has. 

   For sunos413:
        bsafe30/library/sun412/include/aglobal.h
                                       algae.h
                                       atypes.h
                                       bsafe.h
                                       stdlibrf.h
                               lib/libbsafe.a

   For Windows:
        bsafe30\library\msvc20\Include\Aglobal.h
                                       Algae.h
                                       Atypes.h
                                       Bsafe.h
                                       Stdlibrf.h
                               Lib\Bsafe.lib

   If you have a BSAFE 3.0 binary distribution, move the "bsafe30"
   directory of the binary distribution to the top-level "setref"
   directory.  

   If you have a BSAFE 3.0 source distribution, you need to create the
   above directory structure and place the "base30" directory in the
   top-level "setref" directory. 
   (1) Put the library that you have built with the source distribution
       in the "lib" (SunOS) or "Lib" (Windows) directory. 
   (2) Copy the 5 header files into the "include" (SunOS) or "Include"
       (Windows) directory. You can find all the header files except
       "bsafe.h" (SunOS) or "Bsafe.h" (Windows) in the directory
       "bsafe30/source/algae/c" (SunOS) or "bsafe30\source\algae\c" 
       (Windows) in the source distribution. The "bsafe.h" file is
       in "bsafe30/source/bsource/include" (SunOS) or
       "bsafe30\source\bsource\include" (Windows). 

4. Build the SETREF library and command-line demonstration application.

   On SunOS 4.1.3:
        cd setref
        make sunos413

   On Windows:
        Open the SETREF project workspace with Visual C++ 4.1 by
        double-clicking the file make\win32\setref.mdp. There are 5
        projects defined: bsupport, buildall, demo, includes, and
        setref in the workspace. Choose the "buildall - Win32 Release"  
        configuration from the drop-down menu that lists all the
        configurations. Then select the "Build buildall.exe" item from
        the "Build" menu in the menu bar.
        Note: You may see warnings about *.h files at the beginning of
        building the "setref - Win32 Release" configuration. You may
        ignore those.

Running the command-line demonstration program
----------------------------------------------

The command-line demonstration program illustrates use of the SET
toolkit to process a payment transaction as well as a registration
transaction.  The following scripts demonstrate various scenarios of
payment message flows as well as registration message flows in one
batch.

To process a payment transaction using the demo program, perform the
following: 

   On SunOS 4.1.3:
        cd setref/demo/make/sunos413
        make pay.simple

   On Windows 95: 
        cd setref\make\win32\demo\Release
        ..\pay_simple.bat

The example payment message flow is:

        cardholder		merchant		payment gateway
        ----------		--------		---------------

        PInitReq	-->
        		<--	PInitRes
        PReq		-->
        			AuthReq		-->	
        					<--	AuthRes
        			CapReq		-->
        					<--	CapRes
        		<--	PRes


To process both payment and registration flows, perform the following: 

   On SunOS 4.1.3:
        cd setref/demo/make/sunos413
        make test

   On Windows 95: 
        cd setref\make\win32\demo\Release
        ..\test.bat
        			
Example registration flows include:

Cardholder registation:

        cardholder              CCA
        ----------              ---

        CardCInitReq    -->
                        <--     CardCInitRes
        RegFormReq      -->
                        <--     RegFormRes
        CertReq         -->
                        <--     CertRes


Merchant or payment gateway registration:

        merchant or             MCA or
        gateway                 PCA
        -----------             ------

        Me_AqCInitReq   -->
                        <--     Me_AqCInitRes
        CertReq         -->
                        <--     CertRes


This flow is broken into stages.  The demo program takes command line
arguments denoting which stages to invoke.

IMPORTANT:
    The keying material database file called my.keys.sign
    MUST BE IN THE CURRENT WORKING DIRECTORY to run the
    command line demo application.

    Do not interrupt the demo program while it is 
    running.  If the demo program is terminated while it is
    writing to the keying material database, the database may
    become corrupted.

For each invocation, the program expects to read the output of the
previous stage from stdin and write the output of the current stage to
stdout.  Descriptive information for the stage is written to stderr.

For example, the payment transaction can be broken down into the
follwing stages.

"demo -wPInitReq"                -- (cardholder)
        		            writes PInitReq to stdout
"demo -rPInitReq -wPInitRes"     -- (merchant)
        		            reads PInitReq from stdin
        		            writes PInitRes to stdout
"demo -rPInitRes -wPReq"         -- (cardholder)
        		            reads PInitRes from stdin
        		            writes PReq to stdout
"demo -rPReq -wAuthReq"          -- (merchant)
        		            reads PReq from stdin
        		            writes AuthReq to stdout
"demo -rAuthReq -rAuthRes"       -- (acquirer payment gateway)
        		            reads AuthReq from stdin
        		            writes AuthRes to stdout
"demo -rAuthRes -wCapReq"        -- (merchant)
        		            reads AuthRes from stdin
        		            writes CapReq to stdout
"demo -rCapReq -wCapRes"         -- (acquirer payment gateway)
        		            reads CapReq from stdin
        		            writes CapRes to stdout
"demo -rCapRes -wPRes"           -- (merchant)
        		            reads CapRes from stdin
        		            writes PRes to stdout
"demo -rPRes"                    -- (cardholder)
        		            reads PRes from stdin

To demonstrate the entire transaction at once, execute the demo
command containing all of the relevant payment messages.

        demo -wPInitReq ... -rPRes

To use the demo program to create files containing the payment flow
PDUs:

    On SunOS 4.1.3:

        cd setref/demo/make/sunos413
        make pay.output

    On Windows 95:

        cd setref\demo\make\win32\Release
        ..\pay_output.bat

Web-based demonstration
=======================

Installation and operation of the Web-based demonstration programs are
described in the file setref/webdemo/README.TXT (SunOS 4.1.3) and
setref\webdemo\README.TXT (Windows 95).

Additional applications and utilities for use with SETREF are being
made available by Visa International Service Association and MasterCard International Incorporated at http://www.terisa.com/setref/.


TRADEMARKS
==========

UNIX is a registered trademark in the United States and other
countries, licensed exclusively through X/Open Company Limited.

All other brand and product names are or may be trademarks of, and are
used to identify products or services of, their respective owners.

DISCLAIMER
==========

SET Draft Reference Implementation Disclaimer/License
June 30, 1997

This is a beta version of the SET Draft Reference Implementation
("DRI").  It is a work in progress and is being provided at this
stage and in this form to help developers and other interested
parties to understand the SET protocol.  This version of the DRI
provides the core functionality required to process a simple
transaction.  This release does not support certificate authority
messages. Nor does it support the SET option to perform
transactions without cardholder certificates.  For more details
on the functionality in this beta version, please refer to the
attached documentation.  

Later versions of the DRI will include additional functionality
and may include other changes.  DO NOT RELY UPON THIS CODE IN YOUR
DEVELOPMENT.  If you discover a bug, please let us know by posting
a message to the SET-DEV mailing list.  Our lawyers made us include
the next four paragraphs, so PLEASE READ THE TEXT BELOW because it
describes what you can do with the DRI.
 
Copyright (C) 1996, 1997, Visa International Service Association and
MasterCard International Incorporated.  All rights reserved.  
Permission to copy and implement the material contained herein is
granted subject to the conditions that (i) any copy or re-publication
must bear this legend in full; (ii) any derivative work must bear
a notice that it is not the Draft Reference Implementation ("DRI")
for SET and (iii) that none of the copyright holders shall have any
responsibility or liability whatsoever to any other party arising
from the use or publication of the material contained herein.

Visa and MasterCard ("Licensors") hereby grant you ("Licensee") a
limited license to (i) make, use, copy and modify the DRI for the
purpose of developing software that complies with the SET
Specification ("SET Products") and for the purpose of achieving a
better understanding of the SET Protocol; and (ii) distribute SET
Products that incorporate all or a portion of the DRI and other
software, which together are provided under a defined interface
different from that provided by the DRI's API.  Licensee shall not
redistribute or sell a license to the DRI nor shall Licensee
incorporate any part of the DRI into a SET Toolkit.  A "Toolkit"
means a product that provides comprehensive facilities to enable
other parties to create software products for distribution. 
Bolt-on applications and payment modules shall not be considered
Toolkits for the purpose of this license.  The DRI is not intended
to be used as a Toolkit.

Licensors make no representation or warranty of any kind, express
or implied, relating to the DRI.  Licensors are making the DRI
publicly available as an aid to understanding, creating, and
testing SET Products.  Licensees are solely responsible for any
use of the DRI and agree to hold Licensors harmless for any claim
that may arise out of any product created with the DRI.  

Licensee expressly acknowledges Terisa Systems, Inc., a Delaware
Corporation with offices at 4984 El Camino Real, Los Altos,
California, as a third party beneficiary of this license.

This software is controlled material under U.S. law and the laws
of other jurisdictions and you hereby acknowledge and agree that
you must fully comply with all the current laws of the United States
including, without limitation, rules and regulations of the United
States Office of Export Administration and other applicable U.S.
governmental agencies.