Re: Governance of anonymous financial services
re: http://www.garlic.com/~lynn/aadsm26.htm#44 Governance of anonymous financial services http://www.garlic.com/~lynn/aadsm26.htm#48 Governance of anonymous financial services My wife has been gone five years and I've been gone for over a year (they had corporate re-org in Dec '05) ... and we have no rights/interest ... but they continue to trickle out http://www.garlic.com/~lynn/aadssummary.htm latest today (3Apr2007) ... hot off the press: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.htm&r=1&p=1&f=G&l=50&d=PTXT&S1=7200749.PN.&OS=PN/7200749&RS=PN/7200749 Method and system for using electronic communications for an electronic contract Abstract A method and system for digitally signing an electronic contract document. An electronic communication contains an identifier, a message, which includes the document, and a digital signature generated with a private key of an asymmetric key pair (247). The identifier may be used to retrieve a corresponding public key (287) and account information pertaining to the sender of the message. The public key may be used to authenticate the sender and the message. A device containing the private key may be used to protect the privacy thereof. The device may also generate a verification status indicator corresponding to verification data input into the device. The indicator may also be used as evidence that the sender of a contract document performed an overt act in causing the electronic communication to be digitally signed. A security profile linked to the public key in a secure database indicates security characteristics of the device. ... snip ... for a little drift ... slightly related to this recent posting in sci.crypt http://www.garlic.com/~lynn/2007g.html#40 Electronic signature outside Europe - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
Ian G wrote: OK, on the face of it, you seem to have been doing triple entry (with the twist of a hash). Actually I am not so sure that it is even twisted ... as you are simply saying that someone somewhere was logging the hash; but not who was storing the receipts. To point: is this written up anywhere?did I really ask that? ;) I wrote this concept up in a paper and am very happy to expand to include other art and implementations, given more than copious free time... http://iang.org/papers/triple_entry.html I'm integrating (or should be) the work that Todd Boyle has done on accounting, because his concept is more rather than less analogous. re: http://www.garlic.com/~lynn/aadsm26.htm#44 Governance of anonymous financial services so applying x9.59 http://www.garlic.com/~lynn/x959.html#x959 mapping to iso 8583 (i.e. credit transactions, debit transactions ... and even some number of stored-value transactions carried by some point-of-sale terminal and ... at least part of the financial network) http://www.garlic.com/~lynn.8583flow.htm you have the standard iso8583 financial transactions with a x9.59 addenda ... that includes a digital signature, a hash of the receipt and some misc. other stuff. existing infrastructure advises that both merchant and consumer retain (paper) receipts (in case of disputes). x9.59 financial standard didn't specify/mandate how that might be done ... but provided for support for applications for doing. the financial transaction was already required to be archived/logged for all sorts of regulations and business processes (as evidence some number of recent breach references). In the mid-90s, the x9a10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. In numerous other references I've mentioned that doing required taking into account all sorts of considerations as part of x9.59 standard (including countermeasures to fraudulent transactions from breaches), it had to be extremely lightweight because of numerous considerations when you are asked to consider ALL retail transactions (including looking forward to various c ontactless, wireless, cellphones, transit turnstyles, etc), and maximizing the optimal use of all the existing processes and flows. In any case, as a result, the "x9.59" transaction would be logged/archived as part of existing standard financial transaction processes ... which includes the digital signature against the full transaction ... where the full transaction ... along with the digital signature is being logged ... including the receipt hash and the additional x9.59 specified fields. the "receipt", that is hashed, isn't specified as part of the x9.59 protocol standard ... but is assumed to be whatever is necessary to support resolution, in case of any dispute (at least the equivalent of saying that both the merchant and consumer retained paper receipt copies in the case of dispute). we actually may have done too good a job. a lot of efforts that have worked on doing similar or related efforts ... essentially viewed it as profit opportunities. the x9a10 standards worked view all the "stuff" as added expense ... to be aggressively eliminated as much as possible. For instance in the AADS chip strawman http://www.garlic.com/~lynn/x959.html#aads in the mid-90s, i would semi-facetiously say that we would take a $500 mil-spec part, aggressively cost reduce it by 2-3 orders of magnitude, increase its security/integrity, have it form-factor agnostic (as well as being able to meet contactless transit turnstyle requirements). to compound the problem ... we also did a bit of work on being able to change the institutional-centric "something you have" authentication paradigm to a person-centric paradigm ... i.e. rather than having one "something" per institution ... you could have one (or a very few) "somethings" per person (could be viewed as creating the "something you are" biometric authentication analogy for "something you have" authentication). misc. past posts mentioning 3-factor authentication paradigm http://www.garlic.com/~lynn/subintegrity.html#3factor so having something that was aggressively cost reduced by 2-3 orders of magnitude, more secure ... and instead of having one per institution/environment (that a person was involved with), they would have only one (or a very few). overall this could have represented possibly four orders of magnitude cost reduction (that many others were viewing as potential profit opportunity). in any case, who would be the stack-holders interested in something that eliminates nearly all fraud and nearly all costs? a few past posts mentioning working on change-over to a "person-centric" paradigm: http://www.garlic.com/~lynn/aadsm25.htm#7 Crypto to defen
Re: Governance of anonymous financial services
Hello, On 29/03/07 21:30, Steve Schear wrote: > Here is the situation. An on-line financial service, for example a DBC > (Digital Bearer Certificate), operator wishes his meat space identity, > physical whereabouts, the transaction servers and at least some of the > location(s) of the service's asset backing to remain secret. The > service provides frequent, maybe even real-time, data on its asset > backing versus currency in circulation. The operator wishes to provide > some assurance to his clients that the backing and the amount of > currency in circulation are in close agreement. The mint's backing need > not be in a single location nor in the sole possession of the operator. > > I realize this is a governance question but I suspect that crypto/data > security may play a key role. > > Some questions: > If independent auditors are used do they need to know the operator's > identity? Putting the crypto capabilities aside for a moment, what is the purpose of auditing an anonymous legal entity? Auditing, as I see it, can be used to serve two systems: 1. An intrinsically-enforced reputation system 2. An extrinsically-enforced legal system When I take my hard earned money and deposit it with the local branch of ABC bank, I do it while relying on two things: 1. The bank is part of a national legal trademarking system that assures me that this branch having this nice red "ABC" logo, is the same ABC Bank that all my friends use, along with millions of others, and so far, they haven't been fooled and their money hasn't yet been stolen. This #1 is something I can get from a pseudonym based system that is accompanied by some auditing I trust, even if the bank is completely anonymous. In the optimal installation you try to achieve the auditor I trust will be able to tell me: "This bank, that you do not know where it is, and so don't I, has the backing for the currency it has in circulation." I will also be able to tell it's the same bank my friends use. 2. The bank is part of a legal *enforcement* system, such that if the bank takes my hard earned money and refuses to give it back to me, the *human* manager of the bank will be put in *physical* handcuffs and taken to a physical prison, where he cannot physically exercise his freedoms, such as go to a pub, see his kids, etc. No web-site extortion, no reduction of virtual credibility points, not even bad publicity; jail. Real jail, with non-chosen roommates and bad meals. I want to know that the enforcement system that the bank is subject to is one that can lead to real jail before I trust a web-site with my real money. This is along the lines of the baseball bat that Ian mentioned. This is something I cannot get from a system in which there may be auditing, but there is no chain connecting the digital world (as intrinsically-enforced as it would be), and the physical world, that offers better enforcement means, better matching my money's worth. The enforcement that is offered by the legal system is tied to the physical world and thus requires identifiability and personal (flesh -- not username) accountability. You can have a system do without it; have only intrinsic enforcement without tying to the physical world, but I believe its enforcement will never be strong enough to win the trust of the masses when it comes to hard earned money. At the end of the day, say everything works perfectly by your model, and the intrinsic system can prove that there is a coin of gold for every $x in circulation. How does the user know that he will ever see the sums he put in circulation. He has a receipt, of course, but a receipt is just a bunch of bits. These bits may prove to a third party that justice is with the user, but what will link this justice back to money if the bank's owner doesn't feel like paying? I know this is not completely related to the questions you presented, but more to the rationale of the entire system. I am just trying to understand this better. Regards, Hagai. -- Hagai Bar-El - Information Security Analyst T/F: 972-8-9354152 Web: www.hbarel.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
Steve Schear wrote: [snip] One problem is the holders could collude and play a "shell game". Suppose that 30% of the holders were going to be asked to reveal their assets, then the company could back only 30% of the currency, and redistribute the assets to the selected holders before the auditors come. How about this method? 1.) Auditors meet at a defined place and time. 2.) Courier arrives and presents a fraction N of M of the backing, once at a time, to the auditors 3.) Auditors verify the fraction, account for it and enclose it in a container with a unique hard to forge seal 4.) Courier leaves 5.) Step 2-4 are repeated until the total of M has been presented to the auditors 6.) In the second round, the auditors request the same fractions N of M again. Not all N have to be presented, but can be 7.) One after another the couriers with the respective fractions present them again to the auditors 8.) The auditors verify the seals, and remove them 9.) The couriers leave There are two disadvantages to the process: 1.) It takes quite some time. 2.) It is expensive The advantages are: 1.) It is secure for the auditors and the operators 2.) It presents the full backing Although your schema is quite good I think it fails to account for the underhanded nature of some humans and the benefits to be gained under some situations. Think about the counterfeiting of all currency (even US) by the British during WWII, think about counterfeiting in general, stocks, bonds, salted mines, and the host of other scams that have happened over time. One common factor is that as the protections get better, the skill of the nefarious improves. The other limitation of your schema is that the fractions without seals on the second round can not be verified until there is a third round, and then the unsealed fractions on the third round can not be verified until the fourth round, etc. Because of this you have to seal all assets and leave them sealed until the next audit to prevent the same unsealed package from being presented twice. Simply put if there are 100 fractions alleged and the auditors request 30, which are then sealed. On the second round they request 30, if the math was perfect and no randomness crept in, the second lot of 30 should contain about 9 sealed packages and 21 unsealed. This could be met by having only 51 fractions total. So you add a few more for safety and you need maybe 60, quite a shortfall from 100. For a quick look at the other schema proposed using cross signed transactions and other cryptographic methods, there is the human arrogance factor to consider. Some people, like the Yellow Kid, are very convincing in their lies and will happily sign any document alleging that the moon is made of green cheese and that the Lunar Landing was a fraud foisted off on a gullible public because they figure the odds of them being caught are so small and so far in the future that they will have been able to high themselves off to an untouchable spot like some overthrown tin pot dictator from South America and live in splendor the rest of their natural days. It is only a very short step from this to stock fraud and other financial scandals that we have seen over the last few years. As I see it, cryptography is an excellent tool to raise the barrier to the less skillful, but it is, like all tools, manipulated by humans. Some are more skillful in their use of tools than others and find creative ways to solve problems. A small sample. Do you know what a dent puller is? It's a slide hammer with a screw on the tip that you screw into the sheet metal of the dents in your car to render the surface flatter so it can be treated with Bondo and paint to make it look like it was never there. Guess what? Some clever person realized that some common door locks could be broken with the same device so for a while there was a lot of breaking an entering with this tool. Another, and more recent, case is the Kryptonite bike and motorcycle lock. Thick, hardened steel not easily cracked, except by some 17 year old bike shop kid with a 19 cent Bic pen. This is a great subject with lots to explore, both technically and socially. I love it and all the wonderful thinking it brings out. Best, Allen - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
At 12:15 PM 3/30/2007, Hal Finney wrote: > If the backing is distributed among a multitude of holders (e.g., in a > fashion similar to how Lloyds backs their insurance empire), who's > identities are kept secret until audit time and then only a few, randomly > selected, names and claimed deposit amounts are revealed to the auditors, > might this statistical sampling and the totals projected from the results > be a reasonable replacement for 'full asset' audit? To protect the > identities of the holders could a complete list of the hashes of each name > and claimed deposit be revealed to the auditors, who then select M of N > hashes whereupon the operator reveals only those identities and claimed > deposits work cryptographically? One problem is the holders could collude and play a "shell game". Suppose that 30% of the holders were going to be asked to reveal their assets, then the company could back only 30% of the currency, and redistribute the assets to the selected holders before the auditors come. How about this method? 1.) Auditors meet at a defined place and time. 2.) Courier arrives and presents a fraction N of M of the backing, once at a time, to the auditors 3.) Auditors verify the fraction, account for it and enclose it in a container with a unique hard to forge seal 4.) Courier leaves 5.) Step 2-4 are repeated until the total of M has been presented to the auditors 6.) In the second round, the auditors request the same fractions N of M again. Not all N have to be presented, but can be 7.) One after another the couriers with the respective fractions present them again to the auditors 8.) The auditors verify the seals, and remove them 9.) The couriers leave There are two disadvantages to the process: 1.) It takes quite some time. 2.) It is expensive The advantages are: 1.) It is secure for the auditors and the operators 2.) It presents the full backing Steve - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: *AEI-SPAM-MARK* Re: Governance of anonymous financial services
On Fri, 30 Mar 2007, Ian G wrote: > The reserve assets' location(s) is fairly important from a customer trust > perspective. People look at the overall safety and make their own judgements. > One person might decide that New York is safe and another will find that a > horrible thought (for those who follow this arcane field, there was a big bust > of a dodgy operator in NY some months back). Having said that, once a system > is up and running, and is robust, it seems that moving the assets from one > continent to another has not been a source of concern to many users. > > The issuer himself is pretty important. His physical location isn't so > important -- everyone flies around these days -- but nobody has ever been able > to gain trust in a system to date without reference to a real meatspace hook. > And for good reason ... how do you take him to court? (And if you are > thinking of extra-jurisdictional transactions, how do you beat him to a pulp > with a baseball bat?) There's another point: Suppose you come up with an ideal system which preserves secrecy in the way you'd like. How are you going to convince assorted government agencies (eg the US Treasury Dept and its kin in other countries) that your System won't be used for money laundering, terrorist financing, or other nefarious purposes? [N.b. I am *not* trying to start a flame war here, and in particular I am *not* accusing anyone on this mailing list of nefarious purposes. Rather, I'm asking a serious question about the practicality of anonymous (crypto-enabled) financial services in the 21st century, namely, will governments be willing to allow them to operate?] ciao, -- -- "Jonathan Thornburg -- remove -animal to reply" <[EMAIL PROTECTED]> School of Mathematics, U of Southampton, England "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
Ian G wrote: E.g., Ricardian contracts (my stuff) take the user agreement as a document and bind it into each transaction by means of the hash of the contract; they also ensure various other benefits such as the contract being available and readable to all at all times, and the acceptability of same, by the simple expedient of coding the decimalisation into the contract. Ensuring that the contract is readable, applicable and is available to all is a huge win in any court case. Other governance tricks: the usage of signed receipts can be used to construct a full audit of the digital system. Also, signed receipts are strong evidence of a transaction, which leads by some logic to a new regime which we call triple entry accounting. This dramatically changes the practice of accounting (which feeds into governance). With DB side, one trick is to use psuedonym accounts for the basis, and this allows no-loss protocols to be created. Again, this is useful for governance, because if you have a lossy protocol, you have a potential for fraud. we had done something analogous in the x9.59 financial standard. the x9a10 financial standard group had been given the requirement to preserve the financial infrastructure for all retail payments. http://www.garlic.com/~lynn/x959.html#x959 digital signature on the transaction itself provided for end-to-end strong authentication (armoring payment transaction as countermeasure to various kinds of replay attacks ... as have been in the news recently related to large data breaches and then being able to subsequently use the information for fraudulent transactions). one of the "problems" was that some of the other attempts at PKI-related payments protocols in that period ... were creating enormous (two orders of magnitude) processing and payload bloat http://www.garlic.com/~lynn/subpubkey.html#bloat one of the implied x9a10 requirements was efficiency, i.e. mechanism that could be deployed in ALL environments (internet, point-of-sale, cellphone, etc) ... and needed to be highly concerned about processing and payload efficiency. the actual transaction is digitally signed ... and it is also the thing that is authorized, logged, archived, audited, etc. so part of x9.59 provided for a hash of the receipt (contract, bill-of-materials, sku data, "level 3" data, etc) as part of the digitally signed payload (as opposed to including the whole receipt). Then in any subsequent dispute, if both parties didn't produce identical receipts ... the hash from the audited/logged/archived transaction could be used to determine the valid/correct receipt. While the receipt wasn't part of the actual audited/archived/logged transaction, the process provided a mechanism (in cases of disputes) for establishing the legitimate receipt. we claimed privacy agnostic for x9.59 ... i.e. there was an account number in protocol but the degree that any jurisdiction required a binding between an account number and an individual was outside the x9.59 protocol. x9.59 was designed so that it could be used for credit, debit, stored value, ach, etc. In many jurisdictions, credit & debit can have some "know you customer" requirements for financial institutions (binding between individuals and account numbers) ... however there was 1) no requirement to divulge such bindings during retail transactions and 2) x9.59 applies equally well to stored-value retail transactions (where there is much less frequently a requirement imposed for "know your customer". - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
Steve Schear wrote: Here is the situation. An on-line financial service, for example a DBC (Digital Bearer Certificate), operator wishes his meat space identity, physical whereabouts, the transaction servers and at least some of the location(s) of the service's asset backing to remain secret. The service provides frequent, maybe even real-time, data on its asset backing versus currency in circulation. The operator wishes to provide some assurance to his clients that the backing and the amount of currency in circulation are in close agreement. The mint's backing need not be in a single location nor in the sole possession of the operator. The servers are not so relevant, as long as you have created legally firm transactions. Although, in the event of collapse, the data trail suddenly becomes of critical importance, so there are limits to that. The reserve assets' location(s) is fairly important from a customer trust perspective. People look at the overall safety and make their own judgements. One person might decide that New York is safe and another will find that a horrible thought (for those who follow this arcane field, there was a big bust of a dodgy operator in NY some months back). Having said that, once a system is up and running, and is robust, it seems that moving the assets from one continent to another has not been a source of concern to many users. The issuer himself is pretty important. His physical location isn't so important -- everyone flies around these days -- but nobody has ever been able to gain trust in a system to date without reference to a real meatspace hook. And for good reason ... how do you take him to court? (And if you are thinking of extra-jurisdictional transactions, how do you beat him to a pulp with a baseball bat?) I realize this is a governance question but I suspect that crypto/data security may play a key role. It does ... but only after the full governance story is put into place. Then, we can look at ways to solve certain governance problems with crypto. E.g., Ricardian contracts (my stuff) take the user agreement as a document and bind it into each transaction by means of the hash of the contract; they also ensure various other benefits such as the contract being available and readable to all at all times, and the acceptability of same, by the simple expedient of coding the decimalisation into the contract. Ensuring that the contract is readable, applicable and is available to all is a huge win in any court case. Other governance tricks: the usage of signed receipts can be used to construct a full audit of the digital system. Also, signed receipts are strong evidence of a transaction, which leads by some logic to a new regime which we call triple entry accounting. This dramatically changes the practice of accounting (which feeds into governance). With DB side, one trick is to use psuedonym accounts for the basis, and this allows no-loss protocols to be created. Again, this is useful for governance, because if you have a lossy protocol, you have a potential for fraud. Some questions: If independent auditors are used do they need to know the operator's identity? The essence is the contract. In a classical online financial offering, this contract defaults to the user agreement. This contract offers things to the user, and it offers it in the name of the Issuer. If the contract offers nothing, you don't care who the Issuers is. (Some contracts do offer you nothing...) An Independent Auditor (of a valuable contract) would need to know the pedigree of the Issuer. In evaluating the contract that is extended between the issuer and the holders of value, there needs to be some "meatspace mass" that says that the various clauses in the contract can be met. E.g., If the issuer is totally anonymous and the contract says that the issuer will be good for a million of personal assets backing then this is a difficult clause to believe in. What aspects of good governance can be brought to bear on this situation so that the operator's interests are more aligned with its clients? Well, one of the things that is normally done is that the assets that reserve the contractual promises can be audited in some fashion. For the gold people it was commonly suggested that cameras be used; another possibility was to conduct an audit of reserves from time to time with a person of known integrity and independence, a different one each time, under the cameras. Has anyone explored this from a math-crypto view? It's well explored in Ricardo (my stuff). The digital side is capable of being fully and completely audited (not that it is, but the signed receipt structure allows it). 5PM and the balance sheet approach tie the numbers to the contract and then across to the physical assets. 5PM can also be used to control the physical assets to a lesser extent, but there we f
Re: Governance of anonymous financial services
Steve Schear writes: > Here is the situation. An on-line financial service, for example a DBC > (Digital Bearer Certificate), operator wishes his meat space identity, > physical whereabouts, the transaction servers and at least some of the > location(s) of the service's asset backing to remain secret... Pretty tough to do much with crypto in this situation. My rpow.net software was an attempt to create what Nick Szabo called "bit gold", transferrable certificates that had intrinsic rarity. It uses trusted computing concepts to create RSA signatures that are backed by hash collisions. Unfortunately rarity does not automatically translate into value, so even though the system was highly inflation-resistant it was not too successful in attracting users. > The service > provides frequent, maybe even real-time, data on its asset backing versus > currency in circulation. The operator wishes to provide some assurance to > his clients that the backing and the amount of currency in circulation are > in close agreement. The mint's backing need not be in a single location > nor in the sole possession of the operator. Maybe he could publish a picture of the backing commodities, and design the system so that everyone could see how much money was in circulation? Keep in mind that this is only part of the trust picture. Showing that the backing is there won't prevent this anonymous operator from absconding with the funds in the future. That would be one of my concerns if I were a user. > If the backing is distributed among a multitude of holders (e.g., in a > fashion similar to how Lloyds backs their insurance empire), who's > identities are kept secret until audit time and then only a few, randomly > selected, names and claimed deposit amounts are revealed to the auditors, > might this statistical sampling and the totals projected from the results > be a reasonable replacement for 'full asset' audit? To protect the > identities of the holders could a complete list of the hashes of each name > and claimed deposit be revealed to the auditors, who then select M of N > hashes whereupon the operator reveals only those identities and claimed > deposits work cryptographically? One problem is the holders could collude and play a "shell game". Suppose that 30% of the holders were going to be asked to reveal their assets, then the company could back only 30% of the currency, and redistribute the assets to the selected holders before the auditors come. Hal - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
At 08:23 PM 3/29/2007, Allen wrote: Steve, I assume that you mean the owner of the on-line financial service when you say "operator," correct? In which case what exactly are the auditors going to be looking at when comes time to audit but the operator's identity, whereabouts, the servers and a portion of the assets are undisclosed? As we have seen in the prosecutions of large corporation officers knowing their identity is no guarantee that stakeholders will not be defrauded. Can you explain why knowing the server whereabouts is required? Certainly there are cryptographically sound ways (e.g., time stamps from independent and trusted sources, hash chaining, etc.) that anon DBC mints can provide transaction logs that can be publicly examined and verified without ever touching the server. In a basic sense auditing is to see if the reality behind the books matches the books. That the number of sheaves of wheat you have in the warehouse match the number you have in the office. If you can not locate the reality what are you verifying? The scenario described and method I proposed I think do address the identification of assets. I maintain that random sampling can, when properly carried out, provide a mathematically sound confidence of the total size of assets. I think, rather than governance, this goes to the heart of trust in relationships. Governance to me is more the process of verifying that the trust is not misplaced and that audits are simply one way, but only one of many ways, of quantifying the level of trust one can have in the relationship. Agreed. Steve - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Governance of anonymous financial services
Steve, I assume that you mean the owner of the on-line financial service when you say "operator," correct? In which case what exactly are the auditors going to be looking at when comes time to audit but the operator's identity, whereabouts, the servers and a portion of the assets are undisclosed? In a basic sense auditing is to see if the reality behind the books matches the books. That the number of sheaves of wheat you have in the warehouse match the number you have in the office. If you can not locate the reality what are you verifying? I've been involved after a compliance audit that in reality was totally bogus because some aspects of the business in question - a financial institution at that - did not have an accurate org chart so the unit that was clearly out of compliance in their use of private data which wasn't being protected properly didn't even get looked at. This is a business with a major physical presence and yet the auditor's stamp of approval meant nothing. I think, rather than governance, this goes to the heart of trust in relationships. Governance to me is more the process of verifying that the trust is not misplaced and that audits are simply one way, but only one of many ways, of quantifying the level of trust one can have in the relationship. My sense is that cryptography's role in this is to protect the assets from external forces, not verifying that insiders haven't cooked the books. However, I have been known to be wrong a time or two. Best, Allen Steve Schear wrote: Here is the situation. An on-line financial service, for example a DBC (Digital Bearer Certificate), operator wishes his meat space identity, physical whereabouts, the transaction servers and at least some of the location(s) of the service's asset backing to remain secret. The service provides frequent, maybe even real-time, data on its asset backing versus currency in circulation. The operator wishes to provide some assurance to his clients that the backing and the amount of currency in circulation are in close agreement. The mint's backing need not be in a single location nor in the sole possession of the operator. I realize this is a governance question but I suspect that crypto/data security may play a key role. Some questions: If independent auditors are used do they need to know the operator's identity? What aspects of good governance can be brought to bear on this situation so that the operator's interests are more aligned with its clients? Has anyone explored this from a math-crypto view? If the backing is distributed among a multitude of holders (e.g., in a fashion similar to how Lloyds backs their insurance empire), who's identities are kept secret until audit time and then only a few, randomly selected, names and claimed deposit amounts are revealed to the auditors, might this statistical sampling and the totals projected from the results be a reasonable replacement for 'full asset' audit? To protect the identities of the holders could a complete list of the hashes of each name and claimed deposit be revealed to the auditors, who then select M of N hashes whereupon the operator reveals only those identities and claimed deposits work cryptographically? Steve - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Governance of anonymous financial services
Here is the situation. An on-line financial service, for example a DBC (Digital Bearer Certificate), operator wishes his meat space identity, physical whereabouts, the transaction servers and at least some of the location(s) of the service's asset backing to remain secret. The service provides frequent, maybe even real-time, data on its asset backing versus currency in circulation. The operator wishes to provide some assurance to his clients that the backing and the amount of currency in circulation are in close agreement. The mint's backing need not be in a single location nor in the sole possession of the operator. I realize this is a governance question but I suspect that crypto/data security may play a key role. Some questions: If independent auditors are used do they need to know the operator's identity? What aspects of good governance can be brought to bear on this situation so that the operator's interests are more aligned with its clients? Has anyone explored this from a math-crypto view? If the backing is distributed among a multitude of holders (e.g., in a fashion similar to how Lloyds backs their insurance empire), who's identities are kept secret until audit time and then only a few, randomly selected, names and claimed deposit amounts are revealed to the auditors, might this statistical sampling and the totals projected from the results be a reasonable replacement for 'full asset' audit? To protect the identities of the holders could a complete list of the hashes of each name and claimed deposit be revealed to the auditors, who then select M of N hashes whereupon the operator reveals only those identities and claimed deposits work cryptographically? Steve - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]