Jason W Solinsky <solman@MIT.EDU> writes, quoting me:
One thing I don't follow here is under what circumstances a "challenge" will occur. Presumably Microsquish will not blindly accept all of Ingve's assurances since they are backed only by promises. Can Microsquish force Ingve to go to his clients and make them produce certificates? Who pays for that? Maybe if you factor in that cost it won't look so bad for Charles.
First, just let me note that there are a thousand ways to structure it. In my example, Microsquish gets to hold a challenge whenever they want to. If everybody is being honest Microsquish will lose eight nano-slinkys each time they challenge so they won't do it frequently. If everybody is not being honest, Microsquish will collect substantial damages.
One thing I'd add is that Charles still makes money whenever there is a challenge. If there were no challenges then there would be nothing to keep people honest. So it's not a matter of eliminating pay per use of certifications, it's just a matter of the frequency with which they are used vs other kinds. Also, as the challenges become less frequent, Charles can actually raise his rates and still let everyone else make money. He can even charge more than the 10 that Micro is paying for challenges, which he could probably not have done in the non-probabilistic (pre-Ingve) system. It sounds like Micro is paying the challenge fees (in at least one version) and if the penalties against cheaters are great enough it won't challenge very frequently, in which case a larger fee by Charles can be absorbed.
Lets just say that Charles isn't geting as much as he would like. Pay per use is good for the consumer... note the resentment that high software prices have created. Although everybody wins by adopting a system that better approximates reality, ala superdistribution (but we are dealing with authentication here, not information and after thinking about it alot I have decided that authentication is NOT necessarily a form of information in that you can easily demonstrate to somebody that you have been authenticated without giving them the ability to prove it to somebody else [again lets not get into a terminology debate, my point is that the intangible asset here has a different set of properties from the kind we usually deal with in information economy scenarios]), the consumer with his smaller buying power wins the most.
Another approach, BTW, is the "undeniable" signature, which allows an authorization which can only be checked with the cooperation of the issuer. (One of the ones Chaum came up with was described in a posting I made last weekend.) But again, the same "problem" arises where people could check only a fraction of signatures with voluntary penalty clauses. There is also the reseller who checks a signature interactively, paying Charles' fee, then sells his own certifications that you have a valid Charles certification, only these are use-many. The thing is, the amount of information being provided in a certification like this is so small (in effect, one bit) that the "information copying" problem hits pretty hard! If you can't stop people from copying a 1 MB game you're going to have a tough time keeping that single bit corralled.
Now that I think about it, its possible that I'm in error approaching this problem from a cryptographic standpoint. Maybe the correct course of action is to establish a cybergovernment which prohibits "Ingve the insurance salesman" attacks and then set up the fine structure such that the conspirators will have an enormous incentive to turn each other in.
These tend to be non-local solutions, with a lot of overhead and extra mechanisms. Maybe you can make it work with your "government" but I'm afraid you may come to lean on it as the solution to all of your problems. Why bother with cryptography for anything; just have a "government" where everybody has posted a ruinous bond which they forfeit if they break a "law", then legislate communications privacy, non- duplication of electronic cash, bit commitments, etc., with heavy incentives for people to report cheaters?
BTW, perhaps there is an easier solution: only permit Cherles's certifications to exist in an environment that he controls. Smart cards and remote computers can easily do this, although remote computers are undesirable due to their communications overhead.
Again, though, people could just swear they've seen a Charles certificate and these witnesses will undercut Charles. As I said, I think there will still be a place for per-use certifications, but the market will decide how much they are used vs other kinds. I don't think you should worry so much about trying to fine tune the system so this one technology wins. There are a lot of possibilities that people may come up with. Hal