In message <9408251545.AA22928@ua.MIT.EDU> Jason W Solinsky writes:

Here is the situation. Charles runs a certification agency. He might be certifying that you have some basic competency so that people will hire you. [etc]

Either way, Charles's certification is worth money to you. But the value to you isn't a constant amount. Each time you use the certification, you derive additional value from it. So Charles figures that it makes much more sense to sell his certifications on a per use basis... [etc]

To do this Charles adopts a protocol in which his signatures are time dependent. Everybody can verify that his signatures a valid for the time at which a signature is required, but only Charles can figure out what the correct signature is for time T in polynomial time. [etc]

Enter Ingve the insurance salesman. Ingve will guarantee to others that you are certified by Charles by offering them bets. So suppose that Microsquish sends you its advertising agent and the agent is offering a 10 nano-slinkys [a cyberspatial monetary unit] bonus if you can produce one of Charles's certifications. Charles is charging 8 nano-slinkys. In steps Ingve. You've told Ingve that you are certified by Charles as a frequent purchaser of big brother inside computers. So Ingve says: "I'll convince Microsquish to accept my word that you have Charles's certification in exchange for just four nanoslinkys. But if at my request you ask for the certification and Charles's says you aren't certified then you owe me 64 nano-slinkys." Since you are sure that you are certified you accept the deal. Then Ingve goes to Microsquish and offers to insure your certification. Each time Microsquish accepts a certification from Ingve for you, Ingve will pay Microsquish 2 nano-slinkys but will be able to get your business (and thus offset that with the four nano-slinkys). But, if it turns whenever Microsquish wants to it can check up on your certification from Charles at cost (8 nano-slinkys). If Charles certifies you all is well. Otherwise, you owe Ingve 64 nano-slinkys and Ingve has to pay up Microsquish's insurance claim (which could be quite large depending on the policy.

The result of all this is that Charles is cheated out of his revenue. Ingve, You and Microsquish profit, but Charles fails to reap the benefits of his certification. The question is: Is there a secure method that charles can use to prevent the "Ingve the insurance salesman attack"?

This is one of these problems where there is less there than meets the eye. First, a distinction is made between Charley's type of certification and Ingve's: Charley provides absolute assurance and Ingve provides a guess. But in actuality nearly all certification is probabalistic. That is, Charley goes through some sort of process and decides that he takes very little risk in offering a certificate. But you can rarely be certain that anything is true. So both Charley and Ingve guess. Secondly, when Ingve makes a similar guess, he takes a quantifiable risk. If he guesses wrong, he pays a penalty to MS. You imply that Charley takes no similar risk. In fact he must. The risk may be quite visible (he posts a bond which he can lose, or the customer may sue for damages) or it may be less visible (customers will stop coming to him if his certifications are false). So Ingve and Charley both face a penalty if they guess wrong. Finally, you throw in a payment to MS so that Ingve pays something when he issues a certificate, but by omission you imply that Charley's certificates are cost free. However, if they were, than Ingve's rational course of action would be to do whatever cost-free mumbo jumbo Charley does and issue his own certificates. So Charlie's certification process must have a cost, and so we suspect that in fact Charlie is sometimes behaving just like Ingve. Sometimes Charlie just skips the expensive precertification steps and issues a certificate anyway, making an extra profit. This is a form of self-insurance. So they are both in the insurance business. At this point, the distinctions between Charlie and Ingve have largely vanished. Ingve is just a competitor. MS pays less for Ingve's certificates because Ingve is known to guess a lot, whereas Charlie is generally trusted more. You pay less to Ingve for the same reason. -- Jim Dixon