Re: Moving beyond "Reputation"--the Market View of Reality
Right. Now the seller has the cash, and the buyer has nothing. The seller has lost only the future value of the nym, which was presumably accounted for in the price. The seller loses no "real" reputation, because the nym can't be tied back to the is-a-person seller. The buyer, meanwhile, is out the price of the nym, and must either destroy the nym in order to ensure that the seller actually loses all that value, or accept damaged goods. So, why would a buyer agree to such a transaction, where he will remain at the mercy of the seller? Or is this 'one born every minute' economics? Adam On Fri, Nov 30, 2001 at 02:43:54PM -0500, Sunder wrote: | Following which the buyer posts all the signed emails between self and | seller detailing the fraudulent transaction. | | ----------------------Kaos-Keraunos-Kybernetos--------------------------- | + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ | \|/ :aren't security. A |share them, you don't hang them on your/\|/\ | <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ | /|\ :masked killer, but |don't email them, or put them on a web \|/ | + v + :will violate privacy|site, and you must change them very often. | --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ | | On Fri, 30 Nov 2001, Adam Shostack wrote: | | > Following which, Alice pulls out the pre-dated revocation certificate, | > and generates confusion as to the validity of Bob's key change message. | > | > Duh, indeed. | > | > Adam | > | > On Fri, Nov 30, 2001 at 01:34:53PM -0500, Sunder wrote: | > | Simple. Once the buyer has the keys she issues an email saying "I'm | > | changing my keys, here's the new public key" and signs it with the old key | > | - thus proving that the nym's original message was valid, thus | > | invalidating the old one. Duh! | > | | > | | > | ----------------------Kaos-Keraunos-Kybernetos--------------------------- | > | + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ | > | \|/ :aren't security. A |share them, you don't hang them on your/\|/\ | > | <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ | > | /|\ :masked killer, but |don't email them, or put them on a web \|/ | > | + v + :will violate privacy|site, and you must change them very often. | > | --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ | > | | > | On Fri, 30 Nov 2001, Adam Shostack wrote: | > | | > | > On Fri, Nov 30, 2001 at 12:14:13PM -0800, Wei Dai wrote: | > | > | On Thu, Nov 29, 2001 at 07:53:02PM -0800, georgemw@speakeasy.net wrote: | > | > | > Even this is not a scalar. Since reputation cannot be bought | > | > | > and sold, the idea that it is worth a specific well defined amount is | > | > | > false. | > | > | | > | > | If you own a nym, you can easily sell its reputation. Just give the | > | > | private key to the buyer. | > | > | > | > How does the buyer ensure that I haven't kept a copy? If what I'm | > | > selling is a nym, then without the nym, I am anonymous. Adding layers | > | > of nymity for reputation with partial disclosure seems a complex and | > | > failure-prone approach. | > | > | > | > Adam | > | > | > | > -- | > | > "It is seldom that liberty of any kind is lost all at once." | > | > -Hume | > | > -- | > "It is seldom that liberty of any kind is lost all at once." | > -Hume | > | > | > -- "It is seldom that liberty of any kind is lost all at once." -Hume
-----BEGIN PGP SIGNED MESSAGE----- At 1:19 PM -0500 on 12/1/01, Adam Shostack wrote:
Right. Now the seller has the cash, and the buyer has nothing. The seller has lost only the future value of the nym, which was presumably accounted for in the price. The seller loses no "real" reputation, because the nym can't be tied back to the is-a-person seller. The buyer, meanwhile, is out the price of the nym, and must either destroy the nym in order to ensure that the seller actually loses all that value, or accept damaged goods.
So, why would a buyer agree to such a transaction, where he will remain at the mercy of the seller?
I look at nyms as a contingent claim on some asset, which should be handled just as any other security. Certainly you can destroy the value of a nym, just like you can any real property, but it might be better not to do that. I agree with something that Wei Dai said a long time ago that any nym would only be worth it's ability to control some independantly-verified asset, though, which, frankly, is as it should be when you think about it. Just to sort of thrash things a bit, in a capital markets transaction, an exchange isn't such a hard thing to do, in the sense that a secondary bearer-form asset transaction (primary is like an IPO, or, for cash, a collateral asset conversion like an ATM transaction), cash for bond, say, would require the participation of the underwriters in the exchange protocol. viz, with apologies for my ascii art, Uc /\|\ / | \ / | \ / | \ / | \/ Bb<========>Sb /\ | / \ | / \ | / \ | / \ |\/ Ub Uc = Underwriter of cash Bb = Buyer of bond Sb = Seller of bond Ub = Underwriter of bond At primary issuance, a trustee is involved, so, that probably supervises the Underwriter, who ever it is owns the underwriting engine. The above should hold for all kinds of unique, uncopyable things, teleoperated surgery, or opinions, for instance. I expect, for physical goods, some variant of this model holds, because there's someone responsible for the physical supervision of a given asset with a net-based audit/authentication of that supervision of some kind, signed video, or whatever. For "software", in the Gary Becker sense of something that can be copied, all we're really looking for is something which authenticates that a given copy of an information good is in fact signed by the person proported to be the "author" of that information/content/code. Coupled with a decent third-party time-signature mechanism, you're fine, because, after the first copy, such a good is a purely fungible commodity ala Hughes' "Institutional Piracy", or the Agoric guys' "digital silk road", or my "recursive geodesic auction" stuff. Such situations are classic examples of so-called "perfect competition", as found in physical graded-commodity markets everywhere. So, if we're looking at case 1, where there's a uniquely identified digital good, like a financial instrument, we're covered enough for a market to function because the underwriter supervises the transaction, and the trustee/custodian supervises the underwriter. Collusion gets harder with more conspirators, which we all know from our first year accounting class. If you exhaust the prices of the transaction by selling that data sans participants, but with a sufficiently granular time stamp, that would probably complete whatever control loops are needed to make the transaction safe. If we're doing signed but fungible digital good, we're covered because we're looking for something that other people have and you're purchasing based on (probably multiple) published opinion, including a digital signature of the good in question. Finally, if you're doing a physical good with a digital title in bearer form, you can, of course, look at the thing in the warehouse, or in transit, or whatever. There. How's that sound? Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQEVAwUBPAk9wcUCGwxmWcHhAQEY1QgAmjb2Uf7Ys4sNxgtoFRi7Pd18tz3szvQV DEeub8u1B7rNmc+CGBIcgz4xBn0axjVFpD2T1BNm6Xccs8DAqKb/DffiI8A8f7ZF ILeRogf2gTUA9yirmvVf1SIS90J7j+LzFLbleaqx7AngYWQxurqdUWOqlofrjqs1 CHiSRj889fdQ9l1qRBcbDkEHhzR/dSqHyzLYmwm1BurJeQdBfwWZ7yUtLbrsWr/1 EqJVkKlwY4zzJTqdstw72zITSv5lGqDKg5yZtV2c+J1Zcu4V57GCImCwqRMPDcKh bY0WGCZDhYgRUQaH8TFLeaxxIEPSQAP4/rRq4hNaVO1AYI9TV38QCg== =ccef -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Sat, Dec 01, 2001 at 03:30:09PM -0500, R. A. Hettinga wrote: | -----BEGIN PGP SIGNED MESSAGE----- | | At 1:19 PM -0500 on 12/1/01, Adam Shostack wrote: | | | > Right. Now the seller has the cash, and the buyer has nothing. | > The seller has lost only the future value of the nym, which was | > presumably accounted for in the price. The seller loses no "real" | > reputation, because the nym can't be tied back to the is-a-person | > seller. The buyer, meanwhile, is out the price of the nym, and | > must either | > destroy the nym in order to ensure that the seller actually loses | > all that value, or accept damaged goods. | > | > So, why would a buyer agree to such a transaction, where he will | > remain at the mercy of the seller? | | I look at nyms as a contingent claim on some asset, which should be | handled just as any other security. Certainly you can destroy the | value of a nym, just like you can any real property, but it might be | better not to do that. I agree with something that Wei Dai said a | long time ago that any nym would only be worth it's ability to | control some independantly-verified asset, though, which, frankly, is | as it should be when you think about it. In which case, you might be better off transferring the asset, rather than the nym. | Just to sort of thrash things a bit, in a capital markets | transaction, an exchange isn't such a hard thing to do, in the sense | that a secondary bearer-form asset transaction (primary is like an | IPO, or, for cash, a collateral asset conversion like an ATM | transaction), cash for bond, say, would require the participation of | the underwriters in the exchange protocol. Yeah, mature markets solve problems. How to create a mature market is a question that apparently can't be solved for all the tea in China, or all the oil in Russia. Not that I think the solution is all that hard; reading Smith, Hayek, Friedman, Nozick and some other smart people gives you a very clear map, but the folks with the guns over there still haven't read Olsen's last book (thanks), where he explains that thugs do better to let the economy grow than to take all the money at once. Something about the first hundred names in the Cambridge phone book springs to mind. | Just to sort of thrash things a bit, in a capital markets | transaction, an exchange isn't such a hard thing to do, in the sense | that a secondary bearer-form asset transaction (primary is like an | IPO, or, for cash, a collateral asset conversion like an ATM | transaction), cash for bond, say, would require the participation of | the underwriters in the exchange protocol. [...] | At primary issuance, a trustee is involved, so, that probably | supervises the Underwriter, who ever it is owns the underwriting | engine. The above should hold for all kinds of unique, uncopyable | things, teleoperated surgery, or opinions, for instance. A nym is none of these. | I expect, for physical goods, some variant of this model holds, | because there's someone responsible for the physical supervision of a | given asset with a net-based audit/authentication of that supervision | of some kind, signed video, or whatever. Or these. | For "software", in the Gary Becker sense of something that can be | copied, all we're really looking for is something which authenticates | that a given copy of an information good is in fact signed by the | person proported to be the "author" of that information/content/code. | Coupled with a decent third-party time-signature mechanism, you're | fine, because, after the first copy, such a good is a purely fungible | commodity ala Hughes' "Institutional Piracy", or the Agoric guys' | "digital silk road", or my "recursive geodesic auction" stuff. Such | situations are classic examples of so-called "perfect competition", | as found in physical graded-commodity markets everywhere. So here's the rub. A nym (as I'm using the term) is control over a private key thats associated with some reputation, which Alice is trying to sell to Bob. Alice can not provide direct assurance that she won't keep copies of the thing she's selling. Through intermediaries, Bob can buy some insurance that the revocation games Alice can play are limited. How valuable that insurance is depends on the trustworthiness of the intermediaries, how likely the reliant parties are to properly check signatures, and the value of social engineering in a field where process issues are not yet well understood. (See also http://www.seifried.org/security/articles/20011023-devil-in-details.html ) There might be a relationship here to the sale of music bits; the RIAA is all worked up over issues of how do they sell the same bits over and over. If you can answer the question of "How to sell a set of bits exactly once?" you may be able to answer the question "How to ensure that I don't keep a copy of those bits?" or "How do I sell a million people copies of the same bits without them transferring them around." The problems are not identical, but some of the same sorts of solutions may help. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
-----BEGIN PGP SIGNED MESSAGE----- At 6:17 PM -0500 on 12/2/01, Adam Shostack wrote:
In which case, you might be better off transferring the asset, rather than the nym.
Pretty much. Except that a nym may hold more than one asset, and might be easier to transfer than all the other stuff is. Take a look at the arguments for unification of currencies that preceded the creation of the Euro, and, more properly, something from the early 1980's called "New Monetary Economics", advocated by people like Eugene Fama (efficient market hypothesis) and Fisher Black (Black-Scholes option pricing calculations) which argued the opposite, that as computation increased, "numeraires", like the pound or the dollar, could be de-coupled from the assets that they were barter-proxies for. You may be right, though. Only when we do it will we actually find out.
Yeah, mature markets solve problems. How to create a mature market is a question that apparently can't be solved for all the tea in China, or all the oil in Russia.
Maybe, but even immature markets have to make money or they're killed in their cribs. My favorite analogy is how bugs learned to fly, which, if you remember your PBS science shows, evolved from skittering across the surfaces of ponds...
Not that I think the solution is all that hard; reading Smith, Hayek, Friedman, Nozick and some other smart people gives you a very clear map, but the folks with the guns over there still haven't read Olsen's last book (thanks), where he explains that thugs do better to let the economy grow than to take all the money at once.
I don't think so. The ones who fail, like the Taliban, keep getting shot to encourage the others, right? Again, immature markets, including monopolies for force have to make money or they're killed in their cribs. Three orders of magnitude, and all that? :-).
| Just to sort of thrash things a bit, in a capital markets | transaction, an exchange isn't such a hard thing to do, in the | sense that a secondary bearer-form asset transaction (primary is | like an IPO, or, for cash, a collateral asset conversion like an | ATM | transaction), cash for bond, say, would require the participation | of the underwriters in the exchange protocol. [...] | At primary issuance, a trustee is involved, so, that probably | supervises the Underwriter, who ever it is owns the underwriting | engine. The above should hold for all kinds of unique, uncopyable | things, teleoperated surgery, or opinions, for instance.
A nym is none of these.
I'm not so sure. If you create a nym as a unique entity which has control of keys which control assets, the word "unique" points to bearer-instrument protocol of some kind. A stock-exchange seat comes to mind. You don't want to sell multiple copies of a key, for instance, at least for lots of interesting uses. Which brings to mind the idea of a contingent claim, a derivative, for those of you in Palm Beach County. That points to protocols like Juels and Jakobssons's XCash, in which an executable itself, paying attention to signed inputs and capable of exercising control of an asset, is blinded and transferred around in a unique fashion, but I'm not sure how something would used exactly in the case of a nym. Clearly, once you have control of the nym, the nym can do anything it wants, but, I expect that most behavior involving other assets will be monitored by others in some fashion. I'm not saying government, of course, because they aren't efficient enough. But markets happen when people agree on certain kinds of behavior between themselves, and someone ends up ejudicating that behavior. The crypto-anarchic escrow agent comes to mind, for instance.
| I expect, for physical goods, some variant of this model holds, | because there's someone responsible for the physical supervision | of a given asset with a net-based audit/authentication of that | supervision of some kind, signed video, or whatever.
Or these.
Agreed.
| For "software", in the Gary Becker sense of something that can be | copied, all we're really looking for is something which | authenticates that a given copy of an information good is in fact | signed by the person proported to be the "author" of that | information/content/code. Coupled with a decent third-party | time-signature mechanism, you're fine, because, after the first | copy, such a good is a purely fungible commodity ala Hughes' | "Institutional Piracy", or the Agoric guys' "digital silk road", | or my "recursive geodesic auction" stuff. Such situations are | classic examples of so-called "perfect competition", as found in | physical graded-commodity markets everywhere.
So here's the rub. A nym (as I'm using the term) is control over a private key thats associated with some reputation, which Alice is trying to sell to Bob. Alice can not provide direct assurance that she won't keep copies of the thing she's selling.
Which means, you need a different protocol for selling them. I think you walked away too soon from the idea of a nym as a financial instrument, a contingent claim of some kind. Title to assets, at the very least, plus or minus "goodwill", for lack of a better word. I *think* it's part of the definition of a firm, in the Coasean sense of a collection of assets that are worth more together because they can transfer the value of those assets for more competitive advantage internally than the firm gets if those assets are sold into the market directly.
Through intermediaries, Bob can buy some insurance that the revocation games Alice can play are limited.
See, you're talking about finance already :-). Insurance is a contingent claim on assets based on external events. Remember how they called program trading of various derivatives "portfolio insurance" once apon a market crash?
How valuable that insurance is depends on the trustworthiness of the intermediaries, how likely the reliant parties are to properly check signatures, and the value of social engineering in a field where process issues are not yet well understood. (See also http://www.seifried.org/security/articles/20011023-devil-in-details. html)
Say 'amen', somebody...
There might be a relationship here to the sale of music bits; the RIAA is all worked up over issues of how do they sell the same bits over and over. If you can answer the question of "How to sell a set of bits exactly once?" you may be able to answer the question "How to ensure that I don't keep a copy of those bits?" or "How do I sell a million people copies of the same bits without them transferring them around."
First of all, I think that music shouldn't be copy controlled, because it's "software", in the pure Beckerian sense of something that can be copied, and, on the net it can be copied for almost nothing, something that probably makes Coase smile, somewhere, which was my point about commodity markets for information. The part about selling something once is what Chaum did already with DigiCash. The mint keeps a copy of the first "note", and, if another one crosses the transom, the key of the counterfeiter is revealed. Anyone who takes the cash offline, without the participation of the underwriter, deserves what he gets if the cash is double-spent, right? I think the apparatus for selling nyms is there already. Like I said before, all we need is an exchange protocol, something, like price discovery, has already been solved by lots of people (Micali has one, for instance, though I'm not sure how good it is because I'm not qualified to examine it), so we just have to find the best one. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQEVAwUBPArNPcUCGwxmWcHhAQHpGgf/cDMZz2gDnP92nr81OhTQI4jaMsBzWJBx v6EJRGPRFeGDADrxqimpgnlEgfd2R64lUkrFTXm1gKUYgnIITPDlhDHGRoOXG2PL BOzkVVbFcnAzHsgKcHzvQAyoxjebMYxb2ZIzlY/wbC9eeY4J8A7PcJnyf4qPOVAN BAcOaLorcPWN97WDJvIzfvyYnVSTLSV1MfdgSBAdiPB0bf+cVCzKp0Gv/noYyU35 VKYbUtU8sLjoebQAxqMF4/qNTZdvsfcPXKR+4nJ4ofygIKCEoZN/qXrOjv1RqEy0 WZcbSEtW6BTSubAVdHvywDxCqNNYZEF6pfxSh3rh44ORRtxI7lF1JA== =mA6i -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Sun, Dec 02, 2001 at 07:54:43PM -0500, R. A. Hettinga wrote: | > | Just to sort of thrash things a bit, in a capital markets | > | transaction, an exchange isn't such a hard thing to do, in the | > | sense that a secondary bearer-form asset transaction (primary is | > | like an IPO, or, for cash, a collateral asset conversion like an | > | ATM | > | transaction), cash for bond, say, would require the participation | > | of the underwriters in the exchange protocol. | > [...] | > | At primary issuance, a trustee is involved, so, that probably | > | supervises the Underwriter, who ever it is owns the underwriting | > | engine. The above should hold for all kinds of unique, uncopyable | > | things, teleoperated surgery, or opinions, for instance. | > | > A nym is none of these. | | I'm not so sure. If you create a nym as a unique entity which has | control of keys which control assets, the word "unique" points to | bearer-instrument protocol of some kind. A stock-exchange seat comes | to mind. You don't want to sell multiple copies of a key, for | instance, at least for lots of interesting uses. What is the unique entity seperate from its key? You can't have a pen legally controlling your stock exchange seat, so how can a keypair? You can use a keypair to show control (like a chop), but I'm unaware of anywhere the instrument is considered to have control. | | > | For "software", in the Gary Becker sense of something that can be | > | copied, all we're really looking for is something which | > | authenticates that a given copy of an information good is in fact | > | signed by the person proported to be the "author" of that | > | information/content/code. Coupled with a decent third-party | > | time-signature mechanism, you're fine, because, after the first | > | copy, such a good is a purely fungible commodity ala Hughes' | > | "Institutional Piracy", or the Agoric guys' "digital silk road", | > | or my "recursive geodesic auction" stuff. Such situations are | > | classic examples of so-called "perfect competition", as found in | > | physical graded-commodity markets everywhere. | > | > So here's the rub. A nym (as I'm using the term) is control over a | > private key thats associated with some reputation, which Alice is | > trying to sell to Bob. Alice can not provide direct assurance that | > she won't keep copies of the thing she's selling. | | Which means, you need a different protocol for selling them. I think | you walked away too soon from the idea of a nym as a financial | instrument, a contingent claim of some kind. Title to assets, at the | very least, plus or minus "goodwill", for lack of a better word. I | *think* it's part of the definition of a firm, in the Coasean sense | of a collection of assets that are worth more together because they | can transfer the value of those assets for more competitive advantage | internally than the firm gets if those assets are sold into the | market directly. Nyms don't have assets. People and legal fictions have assets. | > Through intermediaries, Bob can buy some insurance that the | > revocation games Alice can play are limited. | | See, you're talking about finance already :-). Insurance is a | contingent claim on assets based on external events. Remember how | they called program trading of various derivatives "portfolio | insurance" once apon a market crash? All men are Socrates. I can buy insurance against the value of things without needing to allow those things to own other things. For example, I have this fine diamond ring, which is insured. I have this fine .jpg of Bill and Monica, which is not insurable, because it is copyable. Neither my diamond ring, nor my jpg, may own property. | > How valuable that insurance is | > depends on the trustworthiness of the intermediaries, how likely | > the reliant parties are to properly check signatures, and the value | > of social engineering in a field where process issues are not yet | > well understood. (See also | > http://www.seifried.org/security/articles/20011023-devil-in-details. | > html) | | Say 'amen', somebody... | | > There might be a relationship here to the sale of music bits; the | > RIAA is all worked up over issues of how do they sell the same | > bits over and over. If you can answer the question of "How to sell | > a set of bits exactly once?" you may be able to answer the question | > "How to ensure that I don't keep a copy of those bits?" or "How do | > I sell a million people copies of the same bits without them | > transferring them around." | | First of all, I think that music shouldn't be copy controlled, | because it's "software", in the pure Beckerian sense of something | that can be copied, and, on the net it can be copied for almost | nothing, something that probably makes Coase smile, somewhere, which | was my point about commodity markets for information. So, how does music differ from a key? Its all bits, and those bits are easier to create than musical bits. | The part about selling something once is what Chaum did already with | DigiCash. The mint keeps a copy of the first "note", and, if another | one crosses the transom, the key of the counterfeiter is revealed. | Anyone who takes the cash offline, without the participation of the | underwriter, deserves what he gets if the cash is double-spent, | right? | | I think the apparatus for selling nyms is there already. Like I said | before, all we need is an exchange protocol, something, like price | discovery, has already been solved by lots of people (Micali has one, | for instance, though I'm not sure how good it is because I'm not | qualified to examine it), so we just have to find the best one. And why can't we apply those to music? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (2)
-
Adam Shostack
-
R. A. Hettinga