From: norm@netcom.com (Norman Hardy) The hat check specifies the secure hash of the data, the penalty to be paid upon failure to produce the data, and the cost of redeeming the data. This sentence contains the single best idea in the whole proposal, which is to specify liquidated damages in the retrieval note. (Most of you will be saying, What?) One of the largest costs of any conflict resolution is deciding, once the existence of damage has been agreed upon, exactly what the scope and worth of that damage was. "Liquidated damages" are a term of art referring to a pre-agreed upon worth of the damage in question. One most often sees them in construction contracts, where the contractor will agree to pay a fixed amount per day for each day late. Rather than bickering over how much a delay is worth, the two parties agree in advance to value each day of delay at a given amount. This kind of agreement is cheaper _for both parties_ than going to court. In the data bank case, the liquidated damages are the amount to be paid upon failure to produce data. In this case, there's no need even to call it a penalty. The data bank agrees to produce either data or a fixed amount of money. They get to choose, and it will almost always be cheaper to remit data rather than money. The hat check is signed blindly by the bank and is a bearer instrument. There's no need to have it signed blind. A blind signature is useful when two parties have some persistent relationship with the intermediary; when they don't have identity, there's no need for blinding. Take, for example, a money bank. Two account holders who wish to transact also wish to keep that transaction secret; in order to do so, they use a blind-signed note, which prevents the linkage from being determined by the bank. The reason that the blind signature is necessary is that the two parties have accounts with the bank, that is, they are known to it in advance. These two wish not to create more information at the bank, that is, more information than is already known. On the other hand, this model of a data bank does not have account holders. The relationship between this data bank and its customers is embodied in the retrieval notes ("hat checks"). Furthermore, if two parties wish to move data through the data bank, the storage and the retrieval transactions can be trivially linked because they are about the _same_ piece of data. The hash of the stored data is the same as the hash of the retrieved data. Because data is not fungible -- one block of data is not like another -- the parties who use this data bank as a intermediary of transmission must remain anonymous to the data bank if they are to remain unlinked. A blind signature will not alleviate the need to remain anonymous to this data bank. Suppose (somehow) the data bank was able to sign blind the right sort of retrieval note. So fine, the retrieval note doesn't reveal the linkage directly. But the retrieval note must contain the hash of the data being retrieved. The hash can't change; it's the access key. So the unchanging part of the note is what gives the link away. We therefore conclude that there's no need for a blind signature here at all. Cancel a hat check: A holder of a hat check may sell it back to the bank at a negotiated price thus releasing the bank from the threat of paying a penalty in the future. This cancellation can't be done well. Remember that the parties are remaining anonymous to the data bank. In order to release the data bank of an obligation, some party would have to make some signed statement releasing the data bank from the obligation. But making a signature reveals identity, perforce. Furthermore the retrieval note is a bearer instrument, but it's a _digital_ bearer instrument, which means you can't simply give the note back to the data bank. There's no piece of paper to return. Once the note is out there, it's out there forever. There can be lots and lots of bearers. Which one of them gets to release the data bank of its obligation? The hat check may specify expiration dates, cancellation terms etc. The retrieval note very well should specify an expiration date, since otherwise the data bank has specified an obligation in perpetuity. A perpetual obligation is much less stable than a fixed-time one. The value to the data bank of disappearance grows larger as the cost of storing the data increases. No new external revenue is coming in (by definition -- otherwise you've got a renewable agreement, which is different) and all you've got is costs. So there becomes little reason not to simply abscond with the assets and deny any outstanding obligations. A customer, therefore, would be wise not to deal with a data bank which signed perpetual obligations. If a customer wants indefinitely long storage, the best way to do this is with a set of interlocking obligations with mutually ignorant parties. The bank is explicitly permitted to disseminate the data and may well do so to lay-off risks. In this sense a data bank is like in insurance company that spreads and shares risks. A hat check may be viewed as a life insurance policy for the data. This is exactly why liquidated damages are such a good idea. By making explicit the cost of data loss, a data bank can much more accurately calculate it's risks and costs. Indeed, the ability to lay off risk of loss is what can create a stable economy of data storage. There are lots of extraneous elements in the proposal that I've not addressed. I wish to highlight what is valuable and not to dwell on what is not. Eric