-----BEGIN PGP SIGNED MESSAGE----- At 1:19 PM -0500 on 12/1/01, Adam Shostack wrote:

Right. Now the seller has the cash, and the buyer has nothing. The seller has lost only the future value of the nym, which was presumably accounted for in the price. The seller loses no "real" reputation, because the nym can't be tied back to the is-a-person seller. The buyer, meanwhile, is out the price of the nym, and must either destroy the nym in order to ensure that the seller actually loses all that value, or accept damaged goods.

So, why would a buyer agree to such a transaction, where he will remain at the mercy of the seller?

I look at nyms as a contingent claim on some asset, which should be handled just as any other security. Certainly you can destroy the value of a nym, just like you can any real property, but it might be better not to do that. I agree with something that Wei Dai said a long time ago that any nym would only be worth it's ability to control some independantly-verified asset, though, which, frankly, is as it should be when you think about it. Just to sort of thrash things a bit, in a capital markets transaction, an exchange isn't such a hard thing to do, in the sense that a secondary bearer-form asset transaction (primary is like an IPO, or, for cash, a collateral asset conversion like an ATM transaction), cash for bond, say, would require the participation of the underwriters in the exchange protocol. viz, with apologies for my ascii art, Uc /\|\ / | \ / | \ / | \ / | \/ Bb<========>Sb /\ | / \ | / \ | / \ | / \ |\/ Ub Uc = Underwriter of cash Bb = Buyer of bond Sb = Seller of bond Ub = Underwriter of bond At primary issuance, a trustee is involved, so, that probably supervises the Underwriter, who ever it is owns the underwriting engine. The above should hold for all kinds of unique, uncopyable things, teleoperated surgery, or opinions, for instance. I expect, for physical goods, some variant of this model holds, because there's someone responsible for the physical supervision of a given asset with a net-based audit/authentication of that supervision of some kind, signed video, or whatever. For "software", in the Gary Becker sense of something that can be copied, all we're really looking for is something which authenticates that a given copy of an information good is in fact signed by the person proported to be the "author" of that information/content/code. Coupled with a decent third-party time-signature mechanism, you're fine, because, after the first copy, such a good is a purely fungible commodity ala Hughes' "Institutional Piracy", or the Agoric guys' "digital silk road", or my "recursive geodesic auction" stuff. Such situations are classic examples of so-called "perfect competition", as found in physical graded-commodity markets everywhere. So, if we're looking at case 1, where there's a uniquely identified digital good, like a financial instrument, we're covered enough for a market to function because the underwriter supervises the transaction, and the trustee/custodian supervises the underwriter. Collusion gets harder with more conspirators, which we all know from our first year accounting class. If you exhaust the prices of the transaction by selling that data sans participants, but with a sufficiently granular time stamp, that would probably complete whatever control loops are needed to make the transaction safe. If we're doing signed but fungible digital good, we're covered because we're looking for something that other people have and you're purchasing based on (probably multiple) published opinion, including a digital signature of the good in question. Finally, if you're doing a physical good with a digital title in bearer form, you can, of course, look at the thing in the warehouse, or in transit, or whatever. There. How's that sound? Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQEVAwUBPAk9wcUCGwxmWcHhAQEY1QgAmjb2Uf7Ys4sNxgtoFRi7Pd18tz3szvQV DEeub8u1B7rNmc+CGBIcgz4xBn0axjVFpD2T1BNm6Xccs8DAqKb/DffiI8A8f7ZF ILeRogf2gTUA9yirmvVf1SIS90J7j+LzFLbleaqx7AngYWQxurqdUWOqlofrjqs1 CHiSRj889fdQ9l1qRBcbDkEHhzR/dSqHyzLYmwm1BurJeQdBfwWZ7yUtLbrsWr/1 EqJVkKlwY4zzJTqdstw72zITSv5lGqDKg5yZtV2c+J1Zcu4V57GCImCwqRMPDcKh bY0WGCZDhYgRUQaH8TFLeaxxIEPSQAP4/rRq4hNaVO1AYI9TV38QCg== =ccef -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-----BEGIN PGP SIGNED MESSAGE----- At 6:17 PM -0500 on 12/2/01, Adam Shostack wrote:

In which case, you might be better off transferring the asset, rather than the nym.

Pretty much. Except that a nym may hold more than one asset, and might be easier to transfer than all the other stuff is. Take a look at the arguments for unification of currencies that preceded the creation of the Euro, and, more properly, something from the early 1980's called "New Monetary Economics", advocated by people like Eugene Fama (efficient market hypothesis) and Fisher Black (Black-Scholes option pricing calculations) which argued the opposite, that as computation increased, "numeraires", like the pound or the dollar, could be de-coupled from the assets that they were barter-proxies for. You may be right, though. Only when we do it will we actually find out.

Yeah, mature markets solve problems. How to create a mature market is a question that apparently can't be solved for all the tea in China, or all the oil in Russia.

Maybe, but even immature markets have to make money or they're killed in their cribs. My favorite analogy is how bugs learned to fly, which, if you remember your PBS science shows, evolved from skittering across the surfaces of ponds...

Not that I think the solution is all that hard; reading Smith, Hayek, Friedman, Nozick and some other smart people gives you a very clear map, but the folks with the guns over there still haven't read Olsen's last book (thanks), where he explains that thugs do better to let the economy grow than to take all the money at once.

I don't think so. The ones who fail, like the Taliban, keep getting shot to encourage the others, right? Again, immature markets, including monopolies for force have to make money or they're killed in their cribs. Three orders of magnitude, and all that? :-).

| Just to sort of thrash things a bit, in a capital markets | transaction, an exchange isn't such a hard thing to do, in the | sense that a secondary bearer-form asset transaction (primary is | like an IPO, or, for cash, a collateral asset conversion like an | ATM | transaction), cash for bond, say, would require the participation | of the underwriters in the exchange protocol. [...] | At primary issuance, a trustee is involved, so, that probably | supervises the Underwriter, who ever it is owns the underwriting | engine. The above should hold for all kinds of unique, uncopyable | things, teleoperated surgery, or opinions, for instance.

A nym is none of these.

I'm not so sure. If you create a nym as a unique entity which has control of keys which control assets, the word "unique" points to bearer-instrument protocol of some kind. A stock-exchange seat comes to mind. You don't want to sell multiple copies of a key, for instance, at least for lots of interesting uses. Which brings to mind the idea of a contingent claim, a derivative, for those of you in Palm Beach County. That points to protocols like Juels and Jakobssons's XCash, in which an executable itself, paying attention to signed inputs and capable of exercising control of an asset, is blinded and transferred around in a unique fashion, but I'm not sure how something would used exactly in the case of a nym. Clearly, once you have control of the nym, the nym can do anything it wants, but, I expect that most behavior involving other assets will be monitored by others in some fashion. I'm not saying government, of course, because they aren't efficient enough. But markets happen when people agree on certain kinds of behavior between themselves, and someone ends up ejudicating that behavior. The crypto-anarchic escrow agent comes to mind, for instance.

| I expect, for physical goods, some variant of this model holds, | because there's someone responsible for the physical supervision | of a given asset with a net-based audit/authentication of that | supervision of some kind, signed video, or whatever.

Or these.

Agreed.

| For "software", in the Gary Becker sense of something that can be | copied, all we're really looking for is something which | authenticates that a given copy of an information good is in fact | signed by the person proported to be the "author" of that | information/content/code. Coupled with a decent third-party | time-signature mechanism, you're fine, because, after the first | copy, such a good is a purely fungible commodity ala Hughes' | "Institutional Piracy", or the Agoric guys' "digital silk road", | or my "recursive geodesic auction" stuff. Such situations are | classic examples of so-called "perfect competition", as found in | physical graded-commodity markets everywhere.

So here's the rub. A nym (as I'm using the term) is control over a private key thats associated with some reputation, which Alice is trying to sell to Bob. Alice can not provide direct assurance that she won't keep copies of the thing she's selling.

Which means, you need a different protocol for selling them. I think you walked away too soon from the idea of a nym as a financial instrument, a contingent claim of some kind. Title to assets, at the very least, plus or minus "goodwill", for lack of a better word. I *think* it's part of the definition of a firm, in the Coasean sense of a collection of assets that are worth more together because they can transfer the value of those assets for more competitive advantage internally than the firm gets if those assets are sold into the market directly.

Through intermediaries, Bob can buy some insurance that the revocation games Alice can play are limited.

See, you're talking about finance already :-). Insurance is a contingent claim on assets based on external events. Remember how they called program trading of various derivatives "portfolio insurance" once apon a market crash?

How valuable that insurance is depends on the trustworthiness of the intermediaries, how likely the reliant parties are to properly check signatures, and the value of social engineering in a field where process issues are not yet well understood. (See also http://www.seifried.org/security/articles/20011023-devil-in-details. html)

Say 'amen', somebody...

There might be a relationship here to the sale of music bits; the RIAA is all worked up over issues of how do they sell the same bits over and over. If you can answer the question of "How to sell a set of bits exactly once?" you may be able to answer the question "How to ensure that I don't keep a copy of those bits?" or "How do I sell a million people copies of the same bits without them transferring them around."

First of all, I think that music shouldn't be copy controlled, because it's "software", in the pure Beckerian sense of something that can be copied, and, on the net it can be copied for almost nothing, something that probably makes Coase smile, somewhere, which was my point about commodity markets for information. The part about selling something once is what Chaum did already with DigiCash. The mint keeps a copy of the first "note", and, if another one crosses the transom, the key of the counterfeiter is revealed. Anyone who takes the cash offline, without the participation of the underwriter, deserves what he gets if the cash is double-spent, right? I think the apparatus for selling nyms is there already. Like I said before, all we need is an exchange protocol, something, like price discovery, has already been solved by lots of people (Micali has one, for instance, though I'm not sure how good it is because I'm not qualified to examine it), so we just have to find the best one. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQEVAwUBPArNPcUCGwxmWcHhAQHpGgf/cDMZz2gDnP92nr81OhTQI4jaMsBzWJBx v6EJRGPRFeGDADrxqimpgnlEgfd2R64lUkrFTXm1gKUYgnIITPDlhDHGRoOXG2PL BOzkVVbFcnAzHsgKcHzvQAyoxjebMYxb2ZIzlY/wbC9eeY4J8A7PcJnyf4qPOVAN BAcOaLorcPWN97WDJvIzfvyYnVSTLSV1MfdgSBAdiPB0bf+cVCzKp0Gv/noYyU35 VKYbUtU8sLjoebQAxqMF4/qNTZdvsfcPXKR+4nJ4ofygIKCEoZN/qXrOjv1RqEy0 WZcbSEtW6BTSubAVdHvywDxCqNNYZEF6pfxSh3rh44ORRtxI7lF1JA== =mA6i -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'