Re: Governance of anonymous financial services
Ian G wrote: OK, on the face of it, you seem to have been doing triple entry (with the twist of a hash). Actually I am not so sure that it is even twisted ... as you are simply saying that someone somewhere was logging the hash; but not who was storing the receipts. To point: is this written up anywhere? gollum did I really ask that? ;) I wrote this concept up in a paper and am very happy to expand to include other art and implementations, given more than copious free time... http://iang.org/papers/triple_entry.html I'm integrating (or should be) the work that Todd Boyle has done on accounting, because his concept is more rather than less analogous. re: http://www.garlic.com/~lynn/aadsm26.htm#44 Governance of anonymous financial services so applying x9.59 http://www.garlic.com/~lynn/x959.html#x959 mapping to iso 8583 (i.e. credit transactions, debit transactions ... and even some number of stored-value transactions carried by some point-of-sale terminal and ... at least part of the financial network) http://www.garlic.com/~lynn.8583flow.htm you have the standard iso8583 financial transactions with a x9.59 addenda ... that includes a digital signature, a hash of the receipt and some misc. other stuff. existing infrastructure advises that both merchant and consumer retain (paper) receipts (in case of disputes). x9.59 financial standard didn't specify/mandate how that might be done ... but provided for support for applications for doing. the financial transaction was already required to be archived/logged for all sorts of regulations and business processes (as evidence some number of recent breach references). In the mid-90s, the x9a10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. In numerous other references I've mentioned that doing required taking into account all sorts of considerations as part of x9.59 standard (including countermeasures to fraudulent transactions from breaches), it had to be extremely lightweight because of numerous considerations when you are asked to consider ALL retail transactions (including looking forward to various c ontactless, wireless, cellphones, transit turnstyles, etc), and maximizing the optimal use of all the existing processes and flows. In any case, as a result, the x9.59 transaction would be logged/archived as part of existing standard financial transaction processes ... which includes the digital signature against the full transaction ... where the full transaction ... along with the digital signature is being logged ... including the receipt hash and the additional x9.59 specified fields. the receipt, that is hashed, isn't specified as part of the x9.59 protocol standard ... but is assumed to be whatever is necessary to support resolution, in case of any dispute (at least the equivalent of saying that both the merchant and consumer retained paper receipt copies in the case of dispute). we actually may have done too good a job. a lot of efforts that have worked on doing similar or related efforts ... essentially viewed it as profit opportunities. the x9a10 standards worked view all the stuff as added expense ... to be aggressively eliminated as much as possible. For instance in the AADS chip strawman http://www.garlic.com/~lynn/x959.html#aads in the mid-90s, i would semi-facetiously say that we would take a $500 mil-spec part, aggressively cost reduce it by 2-3 orders of magnitude, increase its security/integrity, have it form-factor agnostic (as well as being able to meet contactless transit turnstyle requirements). to compound the problem ... we also did a bit of work on being able to change the institutional-centric something you have authentication paradigm to a person-centric paradigm ... i.e. rather than having one something per institution ... you could have one (or a very few) somethings per person (could be viewed as creating the something you are biometric authentication analogy for something you have authentication). misc. past posts mentioning 3-factor authentication paradigm http://www.garlic.com/~lynn/subintegrity.html#3factor so having something that was aggressively cost reduced by 2-3 orders of magnitude, more secure ... and instead of having one per institution/environment (that a person was involved with), they would have only one (or a very few). overall this could have represented possibly four orders of magnitude cost reduction (that many others were viewing as potential profit opportunity). in any case, who would be the stack-holders interested in something that eliminates nearly all fraud and nearly all costs? a few past posts mentioning working on change-over to a person-centric paradigm: http://www.garlic.com/~lynn/aadsm25.htm#7 Crypto to defend chip IP: snake oil or good idea? http://www.garlic.com/~lynn/aadsm25.htm#42 Why security training is really important
Re: Governance of anonymous financial services
re: http://www.garlic.com/~lynn/aadsm26.htm#44 Governance of anonymous financial services http://www.garlic.com/~lynn/aadsm26.htm#48 Governance of anonymous financial services My wife has been gone five years and I've been gone for over a year (they had corporate re-org in Dec '05) ... and we have no rights/interest ... but they continue to trickle out http://www.garlic.com/~lynn/aadssummary.htm latest today (3Apr2007) ... hot off the press: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2Sect2=HITOFFu=%2Fnetahtml%2FPTO%2Fsearch-adv.htmr=1p=1f=Gl=50d=PTXTS1=7200749.PN.OS=PN/7200749RS=PN/7200749 Method and system for using electronic communications for an electronic contract Abstract A method and system for digitally signing an electronic contract document. An electronic communication contains an identifier, a message, which includes the document, and a digital signature generated with a private key of an asymmetric key pair (247). The identifier may be used to retrieve a corresponding public key (287) and account information pertaining to the sender of the message. The public key may be used to authenticate the sender and the message. A device containing the private key may be used to protect the privacy thereof. The device may also generate a verification status indicator corresponding to verification data input into the device. The indicator may also be used as evidence that the sender of a contract document performed an overt act in causing the electronic communication to be digitally signed. A security profile linked to the public key in a secure database indicates security characteristics of the device. ... snip ... for a little drift ... slightly related to this recent posting in sci.crypt http://www.garlic.com/~lynn/2007g.html#40 Electronic signature outside Europe - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
Hello, On 29/03/07 21:30, Steve Schear wrote: Here is the situation. An on-line financial service, for example a DBC (Digital Bearer Certificate), operator wishes his meat space identity, physical whereabouts, the transaction servers and at least some of the location(s) of the service's asset backing to remain secret. The service provides frequent, maybe even real-time, data on its asset backing versus currency in circulation. The operator wishes to provide some assurance to his clients that the backing and the amount of currency in circulation are in close agreement. The mint's backing need not be in a single location nor in the sole possession of the operator. I realize this is a governance question but I suspect that crypto/data security may play a key role. Some questions: If independent auditors are used do they need to know the operator's identity? Putting the crypto capabilities aside for a moment, what is the purpose of auditing an anonymous legal entity? Auditing, as I see it, can be used to serve two systems: 1. An intrinsically-enforced reputation system 2. An extrinsically-enforced legal system When I take my hard earned money and deposit it with the local branch of ABC bank, I do it while relying on two things: 1. The bank is part of a national legal trademarking system that assures me that this branch having this nice red ABC logo, is the same ABC Bank that all my friends use, along with millions of others, and so far, they haven't been fooled and their money hasn't yet been stolen. This #1 is something I can get from a pseudonym based system that is accompanied by some auditing I trust, even if the bank is completely anonymous. In the optimal installation you try to achieve the auditor I trust will be able to tell me: This bank, that you do not know where it is, and so don't I, has the backing for the currency it has in circulation. I will also be able to tell it's the same bank my friends use. 2. The bank is part of a legal *enforcement* system, such that if the bank takes my hard earned money and refuses to give it back to me, the *human* manager of the bank will be put in *physical* handcuffs and taken to a physical prison, where he cannot physically exercise his freedoms, such as go to a pub, see his kids, etc. No web-site extortion, no reduction of virtual credibility points, not even bad publicity; jail. Real jail, with non-chosen roommates and bad meals. I want to know that the enforcement system that the bank is subject to is one that can lead to real jail before I trust a web-site with my real money. This is along the lines of the baseball bat that Ian mentioned. This is something I cannot get from a system in which there may be auditing, but there is no chain connecting the digital world (as intrinsically-enforced as it would be), and the physical world, that offers better enforcement means, better matching my money's worth. The enforcement that is offered by the legal system is tied to the physical world and thus requires identifiability and personal (flesh -- not username) accountability. You can have a system do without it; have only intrinsic enforcement without tying to the physical world, but I believe its enforcement will never be strong enough to win the trust of the masses when it comes to hard earned money. At the end of the day, say everything works perfectly by your model, and the intrinsic system can prove that there is a coin of gold for every $x in circulation. How does the user know that he will ever see the sums he put in circulation. He has a receipt, of course, but a receipt is just a bunch of bits. These bits may prove to a third party that justice is with the user, but what will link this justice back to money if the bank's owner doesn't feel like paying? I know this is not completely related to the questions you presented, but more to the rationale of the entire system. I am just trying to understand this better. Regards, Hagai. -- Hagai Bar-El - Information Security Analyst T/F: 972-8-9354152 Web: www.hbarel.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
At 12:15 PM 3/30/2007, Hal Finney wrote: If the backing is distributed among a multitude of holders (e.g., in a fashion similar to how Lloyds backs their insurance empire), who's identities are kept secret until audit time and then only a few, randomly selected, names and claimed deposit amounts are revealed to the auditors, might this statistical sampling and the totals projected from the results be a reasonable replacement for 'full asset' audit? To protect the identities of the holders could a complete list of the hashes of each name and claimed deposit be revealed to the auditors, who then select M of N hashes whereupon the operator reveals only those identities and claimed deposits work cryptographically? One problem is the holders could collude and play a shell game. Suppose that 30% of the holders were going to be asked to reveal their assets, then the company could back only 30% of the currency, and redistribute the assets to the selected holders before the auditors come. How about this method? 1.) Auditors meet at a defined place and time. 2.) Courier arrives and presents a fraction N of M of the backing, once at a time, to the auditors 3.) Auditors verify the fraction, account for it and enclose it in a container with a unique hard to forge seal 4.) Courier leaves 5.) Step 2-4 are repeated until the total of M has been presented to the auditors 6.) In the second round, the auditors request the same fractions N of M again. Not all N have to be presented, but can be 7.) One after another the couriers with the respective fractions present them again to the auditors 8.) The auditors verify the seals, and remove them 9.) The couriers leave There are two disadvantages to the process: 1.) It takes quite some time. 2.) It is expensive The advantages are: 1.) It is secure for the auditors and the operators 2.) It presents the full backing Steve - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
At 08:23 PM 3/29/2007, Allen wrote: Steve, I assume that you mean the owner of the on-line financial service when you say operator, correct? In which case what exactly are the auditors going to be looking at when comes time to audit but the operator's identity, whereabouts, the servers and a portion of the assets are undisclosed? As we have seen in the prosecutions of large corporation officers knowing their identity is no guarantee that stakeholders will not be defrauded. Can you explain why knowing the server whereabouts is required? Certainly there are cryptographically sound ways (e.g., time stamps from independent and trusted sources, hash chaining, etc.) that anon DBC mints can provide transaction logs that can be publicly examined and verified without ever touching the server. In a basic sense auditing is to see if the reality behind the books matches the books. That the number of sheaves of wheat you have in the warehouse match the number you have in the office. If you can not locate the reality what are you verifying? The scenario described and method I proposed I think do address the identification of assets. I maintain that random sampling can, when properly carried out, provide a mathematically sound confidence of the total size of assets. I think, rather than governance, this goes to the heart of trust in relationships. Governance to me is more the process of verifying that the trust is not misplaced and that audits are simply one way, but only one of many ways, of quantifying the level of trust one can have in the relationship. Agreed. Steve - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
Steve Schear writes: Here is the situation. An on-line financial service, for example a DBC (Digital Bearer Certificate), operator wishes his meat space identity, physical whereabouts, the transaction servers and at least some of the location(s) of the service's asset backing to remain secret... Pretty tough to do much with crypto in this situation. My rpow.net software was an attempt to create what Nick Szabo called bit gold, transferrable certificates that had intrinsic rarity. It uses trusted computing concepts to create RSA signatures that are backed by hash collisions. Unfortunately rarity does not automatically translate into value, so even though the system was highly inflation-resistant it was not too successful in attracting users. The service provides frequent, maybe even real-time, data on its asset backing versus currency in circulation. The operator wishes to provide some assurance to his clients that the backing and the amount of currency in circulation are in close agreement. The mint's backing need not be in a single location nor in the sole possession of the operator. Maybe he could publish a picture of the backing commodities, and design the system so that everyone could see how much money was in circulation? Keep in mind that this is only part of the trust picture. Showing that the backing is there won't prevent this anonymous operator from absconding with the funds in the future. That would be one of my concerns if I were a user. If the backing is distributed among a multitude of holders (e.g., in a fashion similar to how Lloyds backs their insurance empire), who's identities are kept secret until audit time and then only a few, randomly selected, names and claimed deposit amounts are revealed to the auditors, might this statistical sampling and the totals projected from the results be a reasonable replacement for 'full asset' audit? To protect the identities of the holders could a complete list of the hashes of each name and claimed deposit be revealed to the auditors, who then select M of N hashes whereupon the operator reveals only those identities and claimed deposits work cryptographically? One problem is the holders could collude and play a shell game. Suppose that 30% of the holders were going to be asked to reveal their assets, then the company could back only 30% of the currency, and redistribute the assets to the selected holders before the auditors come. Hal - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
Ian G wrote: E.g., Ricardian contracts (my stuff) take the user agreement as a document and bind it into each transaction by means of the hash of the contract; they also ensure various other benefits such as the contract being available and readable to all at all times, and the acceptability of same, by the simple expedient of coding the decimalisation into the contract. Ensuring that the contract is readable, applicable and is available to all is a huge win in any court case. Other governance tricks: the usage of signed receipts can be used to construct a full audit of the digital system. Also, signed receipts are strong evidence of a transaction, which leads by some logic to a new regime which we call triple entry accounting. This dramatically changes the practice of accounting (which feeds into governance). With DB side, one trick is to use psuedonym accounts for the basis, and this allows no-loss protocols to be created. Again, this is useful for governance, because if you have a lossy protocol, you have a potential for fraud. we had done something analogous in the x9.59 financial standard. the x9a10 financial standard group had been given the requirement to preserve the financial infrastructure for all retail payments. http://www.garlic.com/~lynn/x959.html#x959 digital signature on the transaction itself provided for end-to-end strong authentication (armoring payment transaction as countermeasure to various kinds of replay attacks ... as have been in the news recently related to large data breaches and then being able to subsequently use the information for fraudulent transactions). one of the problems was that some of the other attempts at PKI-related payments protocols in that period ... were creating enormous (two orders of magnitude) processing and payload bloat http://www.garlic.com/~lynn/subpubkey.html#bloat one of the implied x9a10 requirements was efficiency, i.e. mechanism that could be deployed in ALL environments (internet, point-of-sale, cellphone, etc) ... and needed to be highly concerned about processing and payload efficiency. the actual transaction is digitally signed ... and it is also the thing that is authorized, logged, archived, audited, etc. so part of x9.59 provided for a hash of the receipt (contract, bill-of-materials, sku data, level 3 data, etc) as part of the digitally signed payload (as opposed to including the whole receipt). Then in any subsequent dispute, if both parties didn't produce identical receipts ... the hash from the audited/logged/archived transaction could be used to determine the valid/correct receipt. While the receipt wasn't part of the actual audited/archived/logged transaction, the process provided a mechanism (in cases of disputes) for establishing the legitimate receipt. we claimed privacy agnostic for x9.59 ... i.e. there was an account number in protocol but the degree that any jurisdiction required a binding between an account number and an individual was outside the x9.59 protocol. x9.59 was designed so that it could be used for credit, debit, stored value, ach, etc. In many jurisdictions, credit debit can have some know you customer requirements for financial institutions (binding between individuals and account numbers) ... however there was 1) no requirement to divulge such bindings during retail transactions and 2) x9.59 applies equally well to stored-value retail transactions (where there is much less frequently a requirement imposed for know your customer. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: *AEI-SPAM-MARK* Re: Governance of anonymous financial services
On Fri, 30 Mar 2007, Ian G wrote: The reserve assets' location(s) is fairly important from a customer trust perspective. People look at the overall safety and make their own judgements. One person might decide that New York is safe and another will find that a horrible thought (for those who follow this arcane field, there was a big bust of a dodgy operator in NY some months back). Having said that, once a system is up and running, and is robust, it seems that moving the assets from one continent to another has not been a source of concern to many users. The issuer himself is pretty important. His physical location isn't so important -- everyone flies around these days -- but nobody has ever been able to gain trust in a system to date without reference to a real meatspace hook. And for good reason ... how do you take him to court? (And if you are thinking of extra-jurisdictional transactions, how do you beat him to a pulp with a baseball bat?) There's another point: Suppose you come up with an ideal system which preserves secrecy in the way you'd like. How are you going to convince assorted government agencies (eg the US Treasury Dept and its kin in other countries) that your System won't be used for money laundering, terrorist financing, or other nefarious purposes? [N.b. I am *not* trying to start a flame war here, and in particular I am *not* accusing anyone on this mailing list of nefarious purposes. Rather, I'm asking a serious question about the practicality of anonymous (crypto-enabled) financial services in the 21st century, namely, will governments be willing to allow them to operate?] ciao, -- -- Jonathan Thornburg -- remove -animal to reply [EMAIL PROTECTED] School of Mathematics, U of Southampton, England Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
