Electronic commerce over the Internet is now tens of billions of dollars per year and growing. This article describes how objects used in EC can be located and protected from unauthorized access. It discusses the three kinds of EC: customer interactions with a business, business interactions with other businesses, and interactions within a business. It characterizes the object retrieval and access management required to support the types of EC. It describes how metadata expressed in XML can be used to locate objects for retrieval and how a public key infrastructure along with role-based access control can be used to implement the distributed authentication and access control necessary to support complex access policies. In addition, the article describes activities within the Information Technology Laboratory at the National Institute of Standards and Technology which contribute to the development of related standards and tests.