Re: Governance of anonymous financial services

2007-03-30 Thread Steve Schear

At 08:23 PM 3/29/2007, Allen wrote:


I assume that you mean the owner of the on-line financial service when you 
say operator, correct? In which case what exactly are the auditors going 
to be looking at when comes time to audit but the operator's identity, 
whereabouts, the servers and a portion of the assets are undisclosed?

As we have seen in the prosecutions of large corporation officers knowing 
their identity is no guarantee that stakeholders will not be 
defrauded.  Can you explain why knowing the server whereabouts is 
required?  Certainly there are cryptographically sound ways (e.g., time 
stamps from independent and trusted sources, hash chaining, etc.) that anon 
DBC mints can provide transaction logs that can be publicly examined and 
verified without ever touching the server.

In a basic sense auditing is to see if the reality behind the books 
matches the books. That the number of sheaves of wheat you have in the 
warehouse match the number you have in the office. If you can not locate 
the reality what are you verifying?

The scenario described and method I proposed I think do address the 
identification of assets.  I maintain that random sampling can, when 
properly carried out, provide a mathematically sound confidence of the 
total size of assets.

I think, rather than governance, this goes to the heart of trust in 
relationships. Governance to me is more the process of verifying that the 
trust is not misplaced and that audits are simply one way, but only one of 
many ways, of quantifying the level of trust one can have in the relationship.



The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Governance of anonymous financial services

2007-03-30 Thread Hal Finney
Steve Schear writes:
 Here is the situation.  An on-line financial service, for example a DBC 
 (Digital Bearer Certificate), operator wishes his meat space identity, 
 physical whereabouts, the transaction servers and at least some of the 
 location(s) of the service's asset backing to remain secret...

Pretty tough to do much with crypto in this situation.  My
software was an attempt to create what Nick Szabo called bit gold,
transferrable certificates that had intrinsic rarity.  It uses trusted
computing concepts to create RSA signatures that are backed by hash
collisions.  Unfortunately rarity does not automatically translate into
value, so even though the system was highly inflation-resistant it was
not too successful in attracting users.

 The service 
 provides frequent, maybe even real-time, data on its asset backing versus 
 currency in circulation. The operator wishes to provide some assurance to 
 his clients that the backing and the amount of currency in circulation are 
 in close agreement.  The mint's backing need not be in a single location 
 nor in the sole possession of the operator.

Maybe he could publish a picture of the backing commodities, and design
the system so that everyone could see how much money was in circulation?

Keep in mind that this is only part of the trust picture.  Showing that
the backing is there won't prevent this anonymous operator from absconding
with the funds in the future.  That would be one of my concerns if I
were a user.

 If the backing is distributed among a multitude of holders (e.g., in a 
 fashion similar to how Lloyds backs their insurance empire), who's 
 identities are kept secret until audit time and then only a few, randomly 
 selected, names and claimed deposit amounts are revealed to the auditors, 
 might this statistical sampling and the totals projected from the results 
 be a reasonable replacement for 'full asset' audit?  To protect the 
 identities of the holders could a complete list of the hashes of each name 
 and claimed deposit be revealed to the auditors, who then select M of N 
 hashes whereupon the operator reveals only those identities and claimed 
 deposits work cryptographically?

One problem is the holders could collude and play a shell game.
Suppose that 30% of the holders were going to be asked to reveal their
assets, then the company could back only 30% of the currency, and
redistribute the assets to the selected holders before the auditors come.


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Governance of anonymous financial services

2007-03-30 Thread Anne Lynn Wheeler

Ian G wrote:
E.g., Ricardian contracts (my stuff) take the user agreement as a 
document and bind it into each transaction by means of the hash of the 
contract;  they also ensure various other benefits such as the contract 
being available and readable to all at all times, and the acceptability 
of same, by the simple expedient of coding the decimalisation into the 
contract.  Ensuring that the contract is readable, applicable and is 
available to all is a huge win in any court case.

Other governance tricks:  the usage of signed receipts can be used to 
construct a full audit of the digital system. Also, signed receipts are 
strong evidence of a transaction, which leads by some logic to a new 
regime which we call triple entry accounting.  This dramatically changes 
the practice of accounting (which feeds into governance).

With DB side, one trick is to use psuedonym accounts for the basis, and 
this allows no-loss protocols to be created. Again, this is useful for 
governance, because if you have a lossy protocol, you have a potential 
for fraud.

we had done something analogous in the x9.59 financial standard. the x9a10
financial standard group had been given the requirement to preserve the
financial infrastructure for all retail payments.

digital signature on the transaction itself provided for end-to-end
strong authentication (armoring payment transaction as countermeasure
to various kinds of replay attacks ... as have been in the news recently
related to large data breaches and then being able to subsequently
use the information for fraudulent transactions).

one of the problems was that some of the other attempts at PKI-related
payments protocols in that period ... were creating enormous 
(two orders of magnitude) processing and  payload bloat

one of the implied x9a10 requirements was efficiency, i.e. mechanism that could 
deployed in ALL environments (internet, point-of-sale, cellphone, etc) ...
and needed to be highly concerned about processing and payload efficiency.

the actual transaction is digitally signed ... and it is also the thing that
is authorized, logged, archived, audited, etc.

so part of x9.59 provided for a hash of the  receipt (contract,  bill-of-materials, 
sku data, level 3 data, etc) as part of the digitally signed payload

(as opposed to including the whole receipt). Then in any subsequent dispute,
if both parties didn't produce identical receipts ... the hash from the
audited/logged/archived transaction could be used to determine the
valid/correct receipt.

While the receipt wasn't part of the actual audited/archived/logged transaction,
the process provided a mechanism (in cases of disputes) for establishing the
legitimate receipt.

we claimed privacy agnostic for x9.59 ... i.e. there was an account number in
protocol but the degree that any jurisdiction required a binding between an 
account number and an individual was outside the x9.59 protocol. x9.59 was

designed so that it could be used for credit, debit, stored value, ach, etc.
In many jurisdictions, credit  debit can have some know you customer
requirements for financial institutions (binding between individuals
and account numbers) ... however there was 1) no requirement to divulge
such bindings during retail transactions and 2) x9.59 applies equally
well to stored-value retail transactions (where there is much less
frequently a requirement imposed for know your customer.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: *AEI-SPAM-MARK* Re: Governance of anonymous financial services

2007-03-30 Thread Jonathan Thornburg
On Fri, 30 Mar 2007, Ian G wrote:
 The reserve assets' location(s) is fairly important from a customer trust
 perspective.  People look at the overall safety and make their own judgements.
 One person might decide that New York is safe and another will find that a
 horrible thought (for those who follow this arcane field, there was a big bust
 of a dodgy operator in NY some months back).  Having said that, once a system
 is up and running, and is robust, it seems that moving the assets from one
 continent to another has not been a source of concern to many users.
 The issuer himself is pretty important.  His physical location isn't so
 important -- everyone flies around these days -- but nobody has ever been able
 to gain trust in a system to date without reference to a real meatspace hook.
 And for good reason ... how do you take him to court?  (And if you are
 thinking of extra-jurisdictional transactions, how do you beat him to a pulp
 with a baseball bat?)

There's another point:  Suppose you come up with an ideal system which
preserves secrecy in the way you'd like.  How are you going to convince
assorted government agencies (eg the US Treasury Dept and its kin in
other countries) that your System won't be used for money laundering,
terrorist financing, or other nefarious purposes?

[N.b. I am *not* trying to start a flame war here, and in particular I
am *not* accusing anyone on this mailing list of nefarious purposes.
Rather, I'm asking a serious question about the practicality of anonymous
(crypto-enabled) financial services in the 21st century, namely, will
governments be willing to allow them to operate?]


-- Jonathan Thornburg -- remove -animal to reply [EMAIL PROTECTED]
   School of Mathematics, U of Southampton, England
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]