SOX is a payment protocol that is implemented within WebFunds as a value manager. It consists of a request layer over an encryption layer. Requests go from client to server, and replies back from the server to the client.

Requests have these characteristics:

In its last active form, each request was signed by RSA and encrypted over AES-128 using SDP1.


Documentation is a little scattered. Here's some from the various Systemics' sources:

  1. Overview is Gary Howland's original paper on the protocol. Whilst the concepts have changed little, this paper is in need of an update. SOX FAQ Is a collection of frequently asked questions from Systemics.
  2. Executive Summary quickly describes the core features of the protocol.



Jeroen van Gelderen asks whether SOX is capabilities done in hard-coded crypto? A serious analysis is needed to answer that question.


SOX employs no classical PKI architecture. Each key is generated on the client and then registered with the server. Authentication of the key to the server more or less happens when transactions occur, so the authentication is done peer-to-peer. This makes it like OpenPGP's web of trust concepts. Hypothetically, it could be tuned to use a CA like but in all likelihood we would have to add a layer or indirection so the PKI did not slow down the crypto.


Start with the Executive Summary, above. Here are some other terms not covered there.

Note that most documentation assumes that SOX is used for a payments protocol; this is not necessarily a limitation, and SOX is also being used for at least one other application, being RTGS trading, which shares similar requirements to payments applications.

Also, see Design for some additional definitions for the whole space in which SOX is used.

Back to Index.

Copyright © 1999-2004 Systemics Ltd. All rights reserved.