Re: Governance of anonymous financial services

2007-04-03 Thread Anne Lynn Wheeler

Ian G wrote:
OK, on the face of it, you seem to have been doing triple entry (with 
the twist of a hash).  Actually I am not so sure that it is even twisted 
... as you are simply saying that someone somewhere was logging the 
hash;  but not who was storing the receipts.


To point:  is this written up anywhere?  gollum  did I really ask 
that? ;)


I wrote this concept up in a paper and am very happy to expand to 
include other art and implementations, given more than copious free time...


http://iang.org/papers/triple_entry.html

I'm integrating (or should be) the work that Todd Boyle has done on 
accounting, because his concept is more rather than less analogous.


re:
http://www.garlic.com/~lynn/aadsm26.htm#44 Governance of anonymous financial 
services

so applying x9.59
http://www.garlic.com/~lynn/x959.html#x959

mapping to iso 8583 (i.e. credit transactions, debit transactions ... and even 
some
number of stored-value transactions carried by some point-of-sale terminal and
... at least part of the financial network)
http://www.garlic.com/~lynn.8583flow.htm

you have the standard iso8583 financial transactions with a x9.59 addenda ... 
that includes
a digital signature, a hash of the receipt and some misc. other stuff.

existing infrastructure advises that both merchant and consumer retain (paper) 
receipts (in
case of disputes). x9.59 financial standard didn't specify/mandate how that 
might be
done ... but provided for support for applications for doing.

the financial transaction was already required to be archived/logged for all 
sorts of
regulations and business processes (as evidence some number of recent breach references). 


In the mid-90s, the x9a10 financial standard working group had been given the 
requirement
to preserve the integrity of the financial infrastructure for ALL retail 
payments. In numerous
other references I've mentioned that doing required taking into account all 
sorts of
considerations as part of x9.59 standard (including countermeasures to 
fraudulent transactions
from breaches), it had to be extremely lightweight because of numerous 
considerations when
you are asked to consider ALL retail transactions (including looking forward to 
various c
ontactless, wireless, cellphones, transit turnstyles, etc), and maximizing the 
optimal
use of all the existing processes and flows.

In any case, as a result, the x9.59 transaction would be logged/archived as 
part of existing standard financial transaction processes ... which includes the digital 
signature against the
full transaction ... where the full transaction ... along with the digital 
signature
is being logged ... including the receipt hash and the additional x9.59 
specified fields.

the receipt, that is hashed, isn't specified as part of the x9.59 protocol 
standard
... but is assumed to be whatever is necessary to support resolution, in case of any 
dispute (at least the equivalent of saying that both the merchant and consumer retained

paper receipt copies in the case of dispute).

we actually may have done too good a job. a lot of efforts that have worked on 
doing similar
or related efforts ... essentially viewed it as profit opportunities. the x9a10 
standards
worked view all the stuff as added expense ... to be aggressively eliminated 
as much as
possible. For instance in the AADS chip strawman
http://www.garlic.com/~lynn/x959.html#aads

in the mid-90s, i would semi-facetiously say that we would take a $500 mil-spec part, 
aggressively cost reduce it by 2-3 orders of magnitude, increase its security/integrity,
have it form-factor agnostic (as well as being able to meet contactless transit turnstyle 
requirements).


to compound the problem ... we also did a bit of work on being able to change 
the
institutional-centric something you have authentication paradigm to a 
person-centric
paradigm ... i.e. rather than having one something per institution ... you 
could have
one (or a very few) somethings per person (could be viewed as creating the 
something you are
biometric authentication analogy for something you have authentication). 
misc. past
posts mentioning 3-factor authentication paradigm
http://www.garlic.com/~lynn/subintegrity.html#3factor

so having something that was aggressively cost reduced by 2-3 orders of 
magnitude, more
secure ... and instead of having one per institution/environment (that a person was 
involved with), they would have only one (or a very few). overall this could have represented

possibly four orders of magnitude cost reduction (that many others were viewing 
as potential
profit opportunity).

in any case, who would be the stack-holders interested in something that 
eliminates nearly all
fraud and nearly all costs?

a few past posts mentioning working on change-over to a person-centric 
paradigm:
http://www.garlic.com/~lynn/aadsm25.htm#7 Crypto to defend chip IP: snake oil 
or good idea?
http://www.garlic.com/~lynn/aadsm25.htm#42 Why security training is really 
important (and 

Re: Governance of anonymous financial services

2007-04-03 Thread Anne Lynn Wheeler

re:
http://www.garlic.com/~lynn/aadsm26.htm#44 Governance of anonymous financial 
services
http://www.garlic.com/~lynn/aadsm26.htm#48 Governance of anonymous financial 
services

My wife has been gone five years and I've been gone for over a year (they had
corporate re-org in Dec '05) ... and we have no rights/interest ... but they
continue to trickle out
http://www.garlic.com/~lynn/aadssummary.htm

latest today (3Apr2007) ... hot off the press:
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2Sect2=HITOFFu=%2Fnetahtml%2FPTO%2Fsearch-adv.htmr=1p=1f=Gl=50d=PTXTS1=7200749.PN.OS=PN/7200749RS=PN/7200749

Method and system for using electronic communications for an electronic contract

Abstract

A method and system for digitally signing an electronic contract document. An 
electronic
communication contains an identifier, a message, which includes the document, and a digital 
signature generated with a private key of an asymmetric key pair (247). The identifier may be 
used to retrieve a corresponding public key (287) and account information pertaining to the 
sender of the message. The public key may be used to authenticate the sender and the message. 
A device containing the private key may be used to protect the privacy thereof. The device may 
also generate a verification status indicator corresponding to verification data input into the device. The indicator may also be used as evidence that the sender of a contract document performed 
an overt act in causing the electronic communication to be digitally signed. A security profile 
linked to the public key in a secure database indicates security characteristics of the device. 


... snip ...

for a little drift ... slightly related to this recent posting in sci.crypt
http://www.garlic.com/~lynn/2007g.html#40 Electronic signature outside Europe

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Governance of anonymous financial services

2007-04-02 Thread Hagai Bar-El
Hello,

On 29/03/07 21:30, Steve Schear wrote:
 Here is the situation.  An on-line financial service, for example a DBC
 (Digital Bearer Certificate), operator wishes his meat space identity,
 physical whereabouts, the transaction servers and at least some of the
 location(s) of the service's asset backing to remain secret.  The
 service provides frequent, maybe even real-time, data on its asset
 backing versus currency in circulation. The operator wishes to provide
 some assurance to his clients that the backing and the amount of
 currency in circulation are in close agreement.  The mint's backing need
 not be in a single location nor in the sole possession of the operator.
 
 I realize this is a governance question but I suspect that crypto/data
 security may play a key role.
 
 Some questions:
 If independent auditors are used do they need to know the operator's
 identity?


Putting the crypto capabilities aside for a moment, what is the purpose
of auditing an anonymous legal entity?

Auditing, as I see it, can be used to serve two systems:

1. An intrinsically-enforced reputation system
2. An extrinsically-enforced legal system

When I take my hard earned money and deposit it with the local branch of
ABC bank, I do it while relying on two things:

1. The bank is part of a national legal trademarking system that
assures me that this branch having this nice red ABC logo, is the same
ABC Bank that all my friends use, along with millions of others, and so
far, they haven't been fooled and their money hasn't yet been stolen.

This #1 is something I can get from a pseudonym based system that is
accompanied by some auditing I trust, even if the bank is completely
anonymous. In the optimal installation you try to achieve the auditor I
trust will be able to tell me: This bank, that you do not know where it
is, and so don't I, has the backing for the currency it has in
circulation. I will also be able to tell it's the same bank my friends use.

2. The bank is part of a legal *enforcement* system, such that if the
bank takes my hard earned money and refuses to give it back to me, the
*human* manager of the bank will be put in *physical* handcuffs and
taken to a physical prison, where he cannot physically exercise his
freedoms, such as go to a pub, see his kids, etc. No web-site extortion,
no reduction of virtual credibility points, not even bad publicity;
jail. Real jail, with non-chosen roommates and bad meals. I want to know
that the enforcement system that the bank is subject to is one that can
lead to real jail before I trust a web-site with my real money. This is
along the lines of the baseball bat that Ian mentioned.

This is something I cannot get from a system in which there may be
auditing, but there is no chain connecting the digital world (as
intrinsically-enforced as it would be), and the physical world, that
offers better enforcement means, better matching my money's worth.

The enforcement that is offered by the legal system is tied to the
physical world and thus requires identifiability and personal (flesh --
not username) accountability. You can have a system do without it; have
only intrinsic enforcement without tying to the physical world, but I
believe its enforcement will never be strong enough to win the trust of
the masses when it comes to hard earned money.

At the end of the day, say everything works perfectly by your model, and
the intrinsic system can prove that there is a coin of gold for every $x
in circulation. How does the user know that he will ever see the sums he
put in circulation. He has a receipt, of course, but a receipt is just a
bunch of bits. These bits may prove to a third party that justice is
with the user, but what will link this justice back to money if the
bank's owner doesn't feel like paying?

I know this is not completely related to the questions you presented,
but more to the rationale of the entire system. I am just trying to
understand this better.

Regards,
Hagai.

-- 
Hagai Bar-El - Information Security Analyst
T/F: 972-8-9354152 Web: www.hbarel.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Governance of anonymous financial services

2007-03-31 Thread Steve Schear

At 12:15 PM 3/30/2007, Hal Finney wrote:

 If the backing is distributed among a multitude of holders (e.g., in a
 fashion similar to how Lloyds backs their insurance empire), who's
 identities are kept secret until audit time and then only a few, randomly
 selected, names and claimed deposit amounts are revealed to the auditors,
 might this statistical sampling and the totals projected from the results
 be a reasonable replacement for 'full asset' audit?  To protect the
 identities of the holders could a complete list of the hashes of each name
 and claimed deposit be revealed to the auditors, who then select M of N
 hashes whereupon the operator reveals only those identities and claimed
 deposits work cryptographically?

One problem is the holders could collude and play a shell game.
Suppose that 30% of the holders were going to be asked to reveal their
assets, then the company could back only 30% of the currency, and
redistribute the assets to the selected holders before the auditors come.


How about this method?

1.) Auditors meet at a defined place and time.

2.) Courier arrives and presents a fraction N of M of the backing, once at 
a time, to the auditors


3.) Auditors verify the fraction, account for it and enclose it in a 
container with a unique hard to forge seal


4.) Courier leaves

5.) Step 2-4 are repeated until the total of M has been presented to the 
auditors


6.) In the second round, the auditors request the same fractions N of M 
again. Not all N have to be presented, but can be


7.) One after another the couriers with the respective fractions present 
them again to the auditors


8.) The auditors verify the seals, and remove them

9.) The couriers leave

There are two disadvantages to the process:
1.) It takes quite some time.
2.) It is expensive

The advantages are:
1.) It is secure for the auditors and the operators
2.) It presents the full backing

Steve 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Governance of anonymous financial services

2007-03-30 Thread Steve Schear

At 08:23 PM 3/29/2007, Allen wrote:

Steve,

I assume that you mean the owner of the on-line financial service when you 
say operator, correct? In which case what exactly are the auditors going 
to be looking at when comes time to audit but the operator's identity, 
whereabouts, the servers and a portion of the assets are undisclosed?


As we have seen in the prosecutions of large corporation officers knowing 
their identity is no guarantee that stakeholders will not be 
defrauded.  Can you explain why knowing the server whereabouts is 
required?  Certainly there are cryptographically sound ways (e.g., time 
stamps from independent and trusted sources, hash chaining, etc.) that anon 
DBC mints can provide transaction logs that can be publicly examined and 
verified without ever touching the server.



In a basic sense auditing is to see if the reality behind the books 
matches the books. That the number of sheaves of wheat you have in the 
warehouse match the number you have in the office. If you can not locate 
the reality what are you verifying?


The scenario described and method I proposed I think do address the 
identification of assets.  I maintain that random sampling can, when 
properly carried out, provide a mathematically sound confidence of the 
total size of assets.


I think, rather than governance, this goes to the heart of trust in 
relationships. Governance to me is more the process of verifying that the 
trust is not misplaced and that audits are simply one way, but only one of 
many ways, of quantifying the level of trust one can have in the relationship.


Agreed.

Steve 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Governance of anonymous financial services

2007-03-30 Thread Hal Finney
Steve Schear writes:
 Here is the situation.  An on-line financial service, for example a DBC 
 (Digital Bearer Certificate), operator wishes his meat space identity, 
 physical whereabouts, the transaction servers and at least some of the 
 location(s) of the service's asset backing to remain secret...

Pretty tough to do much with crypto in this situation.  My rpow.net
software was an attempt to create what Nick Szabo called bit gold,
transferrable certificates that had intrinsic rarity.  It uses trusted
computing concepts to create RSA signatures that are backed by hash
collisions.  Unfortunately rarity does not automatically translate into
value, so even though the system was highly inflation-resistant it was
not too successful in attracting users.


 The service 
 provides frequent, maybe even real-time, data on its asset backing versus 
 currency in circulation. The operator wishes to provide some assurance to 
 his clients that the backing and the amount of currency in circulation are 
 in close agreement.  The mint's backing need not be in a single location 
 nor in the sole possession of the operator.

Maybe he could publish a picture of the backing commodities, and design
the system so that everyone could see how much money was in circulation?

Keep in mind that this is only part of the trust picture.  Showing that
the backing is there won't prevent this anonymous operator from absconding
with the funds in the future.  That would be one of my concerns if I
were a user.


 If the backing is distributed among a multitude of holders (e.g., in a 
 fashion similar to how Lloyds backs their insurance empire), who's 
 identities are kept secret until audit time and then only a few, randomly 
 selected, names and claimed deposit amounts are revealed to the auditors, 
 might this statistical sampling and the totals projected from the results 
 be a reasonable replacement for 'full asset' audit?  To protect the 
 identities of the holders could a complete list of the hashes of each name 
 and claimed deposit be revealed to the auditors, who then select M of N 
 hashes whereupon the operator reveals only those identities and claimed 
 deposits work cryptographically?

One problem is the holders could collude and play a shell game.
Suppose that 30% of the holders were going to be asked to reveal their
assets, then the company could back only 30% of the currency, and
redistribute the assets to the selected holders before the auditors come.

Hal

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Governance of anonymous financial services

2007-03-30 Thread Anne Lynn Wheeler

Ian G wrote:
E.g., Ricardian contracts (my stuff) take the user agreement as a 
document and bind it into each transaction by means of the hash of the 
contract;  they also ensure various other benefits such as the contract 
being available and readable to all at all times, and the acceptability 
of same, by the simple expedient of coding the decimalisation into the 
contract.  Ensuring that the contract is readable, applicable and is 
available to all is a huge win in any court case.


Other governance tricks:  the usage of signed receipts can be used to 
construct a full audit of the digital system. Also, signed receipts are 
strong evidence of a transaction, which leads by some logic to a new 
regime which we call triple entry accounting.  This dramatically changes 
the practice of accounting (which feeds into governance).


With DB side, one trick is to use psuedonym accounts for the basis, and 
this allows no-loss protocols to be created. Again, this is useful for 
governance, because if you have a lossy protocol, you have a potential 
for fraud.


we had done something analogous in the x9.59 financial standard. the x9a10
financial standard group had been given the requirement to preserve the
financial infrastructure for all retail payments. 
http://www.garlic.com/~lynn/x959.html#x959


digital signature on the transaction itself provided for end-to-end
strong authentication (armoring payment transaction as countermeasure
to various kinds of replay attacks ... as have been in the news recently
related to large data breaches and then being able to subsequently
use the information for fraudulent transactions).

one of the problems was that some of the other attempts at PKI-related
payments protocols in that period ... were creating enormous 
(two orders of magnitude) processing and  payload bloat

http://www.garlic.com/~lynn/subpubkey.html#bloat

one of the implied x9a10 requirements was efficiency, i.e. mechanism that could 
be
deployed in ALL environments (internet, point-of-sale, cellphone, etc) ...
and needed to be highly concerned about processing and payload efficiency.

the actual transaction is digitally signed ... and it is also the thing that
is authorized, logged, archived, audited, etc.

so part of x9.59 provided for a hash of the  receipt (contract,  bill-of-materials, 
sku data, level 3 data, etc) as part of the digitally signed payload

(as opposed to including the whole receipt). Then in any subsequent dispute,
if both parties didn't produce identical receipts ... the hash from the
audited/logged/archived transaction could be used to determine the
valid/correct receipt.

While the receipt wasn't part of the actual audited/archived/logged transaction,
the process provided a mechanism (in cases of disputes) for establishing the
legitimate receipt.

we claimed privacy agnostic for x9.59 ... i.e. there was an account number in
protocol but the degree that any jurisdiction required a binding between an 
account number and an individual was outside the x9.59 protocol. x9.59 was

designed so that it could be used for credit, debit, stored value, ach, etc.
In many jurisdictions, credit  debit can have some know you customer
requirements for financial institutions (binding between individuals
and account numbers) ... however there was 1) no requirement to divulge
such bindings during retail transactions and 2) x9.59 applies equally
well to stored-value retail transactions (where there is much less
frequently a requirement imposed for know your customer.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: *AEI-SPAM-MARK* Re: Governance of anonymous financial services

2007-03-30 Thread Jonathan Thornburg
On Fri, 30 Mar 2007, Ian G wrote:
 The reserve assets' location(s) is fairly important from a customer trust
 perspective.  People look at the overall safety and make their own judgements.
 One person might decide that New York is safe and another will find that a
 horrible thought (for those who follow this arcane field, there was a big bust
 of a dodgy operator in NY some months back).  Having said that, once a system
 is up and running, and is robust, it seems that moving the assets from one
 continent to another has not been a source of concern to many users.
 
 The issuer himself is pretty important.  His physical location isn't so
 important -- everyone flies around these days -- but nobody has ever been able
 to gain trust in a system to date without reference to a real meatspace hook.
 And for good reason ... how do you take him to court?  (And if you are
 thinking of extra-jurisdictional transactions, how do you beat him to a pulp
 with a baseball bat?)

There's another point:  Suppose you come up with an ideal system which
preserves secrecy in the way you'd like.  How are you going to convince
assorted government agencies (eg the US Treasury Dept and its kin in
other countries) that your System won't be used for money laundering,
terrorist financing, or other nefarious purposes?

[N.b. I am *not* trying to start a flame war here, and in particular I
am *not* accusing anyone on this mailing list of nefarious purposes.
Rather, I'm asking a serious question about the practicality of anonymous
(crypto-enabled) financial services in the 21st century, namely, will
governments be willing to allow them to operate?]

ciao,

-- 
-- Jonathan Thornburg -- remove -animal to reply [EMAIL PROTECTED]
   School of Mathematics, U of Southampton, England
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]