I doubt digital signatures will ever be used alone much for signing expensive contracts. Not every binding signature is on a contract. The signature at the bottom of a check is not signing a contract, but rather referencing a contract between the drawer of the check and the bank whereby the bank agrees to accept such checks. Expect models like this to proliferate, where one physical signature initiates the use of many digital signatures in a proper context. Such a system could be used, for example, in a new beast called a "contract proxy", which is the nominal end of some contract, but which is really standing in for some other party. Activity within a contract is not the same thing as a creating a contract. This is one of the very first things I learned in this field, and I thank Mike Godwin for pointing this out to me. I predict it will become common practice, or even law, that digitally signed contracts over a certain amount are automatically invalid unless further precuations have been taken (signatures of notary witnesses, or perhaps some better crypto protocol designed for this purpose). This prediction is either far too premature, since the whole technical and le al situation with use of digital signatures in _any_ form is not yet well enough developed, or totally tautological, since a digital signature as such is merely a string of bits with little other than mathematical interpretation. What is certain is that the social process involved in making digital signatures useful will be far more complicated than the software needed to make the digital signatures. We may yet find protocols to mitigate or limit this kind of fraud -- make change traceable if linked to double spending, "Traceable to what?" is the real question. One can consider systems traceable to persons or systems traceable to security deposits, for example. Reliance on law enforcement flies in the face of cypherpunk goals, and indeed against the goals of good cops as well A system that requires police for its stability is externalizing part of its security costs to the governments of jurisdiction. The taxpayers of such jurisdictions are subsidizing these enterprises. And in cases where the powers of the jurisdiction are weak or non-existent, be that by accident or design, these kinds of systems just won't work economically. A protocol that treats common accident the same as criminal fraud, when the stakes are so high, is pathological. And not only that, it requires trafficking in identity. [...] we may not even need to recongize fraud in online cash -- just treat all online double spending as accident. No bonding, secured accounts, investigators, ID badges or cops with guns busting down Janes's door after Iriving has million-spent her coins. The economics of charging for deposit attempts clearly prevents most double spending. There may well, however, be an economic win for an business which finds a way to save on clearing costs by eliminating the deposit charge in lieu of some other notion of assurance against abuse, like a secured account from which deposit fees are levied. If clearing costs are less than plausible offline cash fraud and fraud prevention costs, online cash is a winner, both now and increasingly in the future as bandwidth becomes even cheaper. I agree. It appears to the back of my envelope that communication and computation charges are dropping fast enough that by the time offline smartcards are economical enough to deploy, that online systems will be cheaper. Eric