Re: Chaum steps down as CEO of Digicash
At 1:53 pm -0400 on 4/28/97, Hal Finney wrote:
Chaum's orientation towards privacy has not been well accepted by the conservative banking community (a similar point was made by Peter Swire in his article about payments and anonymity).
Again, financial privacy is like flight. To the people who invented it, flight was an inherent good. People died trying to create it. However, the thing which made flight commonplace was commerce. Flying is not only the fastest way for people and other important things to get somewhere, but, over great distances, it is simply the cheapest way for people to travel. People don't purchase "wow, we can fly". They purchase economy seats to Cleveland. :-). The same thing with financial cryptography, and, by extension, strong cryptography in general. What will sell financial cryptography is not financial privacy per se. What will sell financial cryptography is the fact that digital bearer certificate protocols will prove, by virtue of their very *anonymity*, to be many orders of magnitude cheaper to use than any internet transaction method of equal security. Or any transaction method at all, for that matter. Including, of course, the book-entry transaction settlement methods (like checks, credit cards, securities clearinghouses, interbank settlement) we use today. It is under *that* proposition alone, the potential for radical cost reduction in *all* transaction settlement processes -- and the prospect for radical economic transformation that that brings -- that the blind signature patent should be marketed and licensed. Notice I said "licensed". Cryptographers -- and that is who Digicash is, nothing else, no matter how hard they try to be otherwise -- should invent, license, and validate the use of cryptographic protocols. And, clearly, there is no better financial cryptographer in the world than David Chaum, the man who created, from whole cloth, everything we consider to be modern financial cryptography. Digicash should not try to be a financial trustee, or a certificate underwriter, or even a software developer. All three things Digicash, BV, has tried to be in its many previous incarnations. Now, it appears, Digicash, Inc., is going to try to become the internet equivalent of a credit card association. However, once you understand what Digicash's strengths really are, you can see why this current strategy is just the next progression in, I'm sorry to say, the fool's market that Digicash, Inc., has become in terms of investment return. So, you can understand how, sometimes, I'm very much afraid we'll have to wait until this round of funding is burned through -- say 3 to 5 years -- before we see any progress in the market for digital bearer certificates. And, if Digicash keeps finding a "greater fool" when the money runs out, we'll end up waiting until 2007, the expiration date on the blind signature patent, in order for anything to happen at all. Yet, most of rest of the time, however, I'm not so pessimistic. I'm convinced that if Digicash starts non-exclusive licensing of the blind signature patent, and the other relevant Chaum patents it now controls, even as an experiment, I expect that they would very soon find that their profit margins on those licenses would dwarf the profits on all their other projects. Maybe then they'll realize they should stop trying to be something else, and be what they what they have been all along: the very best financial cryptographers in the world. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/
On Tue, 29 Apr 1997, Robert Hettinga wrote:
At 1:53 pm -0400 on 4/28/97, Hal Finney wrote:
Chaum's orientation towards privacy has not been well accepted by the conservative banking community (a similar point was made by Peter Swire in his article about payments and anonymity).
Having worked for DigiCash for more than one year before giving up on them due to persistent billing problems, I can assure you that the privacy features of Ecash have *nothing* to do with the failure of Ecash in the marketplace. The blame for the failure of Ecash rests squarely and exclusively with DigiCash's management. --Lucky
At 1:54 pm -0400 on 4/29/97, Tim May wrote:
At 6:19 AM -0800 4/29/97, Robert Hettinga wrote:
And, if Digicash keeps finding a "greater fool" when the money runs out, we'll end up waiting until 2007, the expiration date on the blind signature patent, in order for anything to happen at all.
Recall that there are at least two major bypasses of the blind signature patent: the Doug Barnes "identity agnostic" approach and the Ian Goldberg work on moneychangers and "everyone a mint."
I certainly wasn't ignoring these guys. I suppose if you're going to be issuing certificates in, holding the money in trust for, or even writing commercial software for some kind of digital bearer certificate market, it would probably be a good idea not to fight off lawsuits all the time from the acknowleged patent holder, whether or not they're justified. Of course there's the counterexample in aviation of Curtiss, who fought off the Wright brothers for years to great effect, after fairly outright patent theft.
I happen to agree that Chaum is the pioneer of much that we consider core Cypherpunks technology. And I wish him well and hope he someday recoups his investments in Digicash and ends up making money. But I agree with Bob's points about the mistakes Digicash has made...and this is not some opinion I have come to in hindsight: I, and others, expressed these views several years ago.
I really didn't understand this myself until maybe two years ago, when I applied the physical bearer certificate model to a hypothetical market for digital bearer certificates. The whole problem crystallizes when you look at it that way. In that context, Digicash is more like the Crane paper company, or better, the folks who invent the doodlers and stuff to make very complex intaglio printing possible, not even the press manufacturer. Certainly very necessary technology, in fact the defining technology, but not quite sufficient by itself to create a market. ;-).
(One such expression was in an article I did a few years ago about how software patents are instrinsically poorly "metered." <snip> The situation is vastly different with software patents, and this is holding back such innovations. I have no real solution, except to simply advocate "liberation" of such things...if it can't be protected without an intrusive police state, screw the supposed property rights. Schelling points, David Post's "code," and all that...sorry for the elliptic (not curve) references.)
Oddly enough, it's quite possible to have perfectly pseudonymous digital bearer certificate markets where the protocol inventor is fairly compensated for inventing the protocol. The key is to use the trustee as the policeman of the market, the place where the meter "clicks". Since the exchange of certificates into other kinds of money (be it other certificates, book-entries, or commodities of some kind) must go through the trustee at some point, the trustee can, as part of the trust agreement with the holders of the certificates, give some share of transaction fee or interest income to the protocol designer, in addition to what is paid to the underwriter. The trustee is renting their reputation to the transaction process anyway, so it is the best entity to increment the meter fairly on the designer's behalf. Look, Ma, no nation-state! Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/
At 5:35 pm -0400 on 4/29/97, Tim May wrote:
This is really for patent lawyers to argue,
Indeed, which is my point. If the patent lawyers are arguing, life is hard for anyone trying to make money with the technology the patents allegedly cover. Kind of like those "SLAPP" suits companies like to throw at "activists". Remember PRZ? Same shit, different day. Economically, anyway.
"Contributory infringement" is one possible avenue of going after such systems which bypass Chaum's patents, but this is a complicated issue.
See above. :-).
I would guess that Chaum is also planning to try to get more comprehensive patents covering the "entire system" of using digital cash in financial transactions. Bad as software patents usually are, this trend is even worse.
Say amen, somebody. I personally think software patents are useless in the long run, but they're still bad for business in the meantime. In which meantime, until we can nonrepudiably pay people who invent financial crypto protocols without the intervention of the nation-state, we need to live with said patents.
For the desired market for digital cash, that of black market and anarchistic transactions, ignoring the patents seems an obvious choice. For the hoity-toity bankers, they'll probably avoid such things completely.
There are lots of other "desired" transactions for digital bearer certificates besides digital cash for black markets. Everything from "collectables" (no accounting for taste, I suppose), to any current financial instrument (and a few we haven't dreamed up yet), to micromoney for those micromoney "mitochondria" I rant so much about. All of them will be extremely economical because they're untraceable and still negotiable. Nonrepudiable without the "assistance" of a nation-state. Remember, proto-wings were evolved by pond-skimming insects so they could skim across ponds faster. Eventually, when those proto-wings evolved into actual wings, flying insects didn't need ponds anymore. With that idea in mind, digital bearer certificates are going to have to interface with the book entry world of meatspace for a while, in order to be convertable into other assets. Eventually, at some point, those assets won't be book-entries anymore. <sfx: "slap!"> > I know which side I'm on, but I'm not sure which side Bob is on. </sfx> Bob just wants to make a buck. Something you don't have to worry about any more about, anymore, Tim. <he said, rubbing the red spot on his cheek...> The point is, if it makes money it'll happen. If it doesn't make money, it won't. Reality is not optional. Nation states are so powerful, requiring the invention of strong cryptography to save us from their totalarian excressance, because they can take our money at gunpoint. The reason they can is because money can be traced, either in physical form, or lately, in electronic book-entry form. The reason it can be traced is because our economic system physically requires a nation state to enforce any repudiation of its transaction protocols. To punish fraud, in other words. Financial cryptography saves us from the nation state not just because it hides information about ourselves, but because it out-competes the old book entry transaction system, especially in terms of non-repudiation. It outcompetes the old system on it's own turf. Which means, of course, in banks. "Hoity-toity" or otherwise. Think about it this way. Personal computers didn't really start to kill mainframes until they were networked into mainframes and could hoover data out of them with impunity, and out-process the information. Excel killed 123 that much quicker because it could read .WK1 files transparently, macros and all, and then do much more with it. Soon, this upcoming "protocol conversion", between the net world of bearer certificates and the meatspace world of book-entries, will be done by a financial trustee. A trustee which will be, for all intents an purposes, and certainly in the earlest stages of a digital bearer certificate infrastructure, a bank. The hoity-toitier, the better, because they have the best reputation to rent to transactions on the net. So, that means avoiding unpleasantneess, like "cutting out" transactions on the net from a bank's shareholders by having a bunch of separate entities, underwriters in other words, marketing and validating the actual certificate transactions. That keeps Mrs. Grundy from standing up in the bank's boardroom one afternoon and cancelling all the net.porno operators' accounts, because they don't have accounts in the bank. The underwriters do, and they underwrite certificates for thousands of customers apiece, customers the underwriters don't even have know, because the trustee is blindly passing those ATM and wire transactions to the right banking correspondents on those networks, who in turn validate their customers against their account base. Anyway, getting back to the point, "avoiding unpleasantness" also means not having patent lawyers sue those very essential "hoity-toity" trustee banks for rediculous reasons, like patent infringement, actual or not. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/
Robert Hettinga <rah@shipwright.com> writes:
Remember, proto-wings were evolved by pond-skimming insects so they could skim across ponds faster. Eventually, when those proto-wings evolved into actual wings, flying insects didn't need ponds anymore. With that idea in mind, digital bearer certificates are going to have to interface with the book entry world of meatspace for a while, in order to be convertable into other assets. Eventually, at some point, those assets won't be book-entries anymore.
No offense Bob, but your pose takes some reading, too full of metaphors, but I grok what you're saying, and the topic discussed here I find interesting. How about this, rather than interface your ecash system with US dollars yourself through credit cards/ debit cards/ cheques / cash, just set up an entirely disconnected system. You may remember the digicash trial mint. It was monopoly money, theoretically it was worthless. However people were selling freebees for it (the odd T-shirt, cap etc), plus images, programs. Also it was collectable in the sense that there was a limited mint. The unofficial digicash exchange was set up and some transactions took place. People were buying and selling the monopoly money for real money, without digicash having to worry about the legality of the interface to existing payment systems. The black market/ unoffcial market took care of it. Also the internet casino is interesting in relation to this. They accept many payment forms, if they started accepting our "net cash" (net in the sense that it only means anything directly in terms of the net), then you could exchange cash by playing some low rake off game such as roulette. (Just keep betting on black, the commision is the house slot, and you take your chips away in real world currency). The cryptographic requirements for a system such as this would be: 1) anonymous (privacy preserving, payee and payer anonymous 2) distributed (to make it hard to shut down) 3) have some built in scarcity 4) require no trust of any one individual 5) preferably offline (difficult to do with pure software) 6) reusable My ideas so far are hashcash (where the scarcity is related to your processing power). (See http://www.dcs.ex.ac.uk/~aba/hashcash/) However this makes for hyper-inflation because of the rapid increase in CPU power. hashcash is not directly transferable because to make it distributed, each service provider accepts payment only in cash created for them. You could perhaps setup a digicash style mint (with chaumian ecash) and have the bank only mint cash on receipt of hash collisions addressed to it. However this means you've got to trust the bank not to mint unlimited amounts of money for it's own use. So, perhaps you could have multiple banks and let reputation sort them out, if you could arrange the protocols so that it would be apparent if a bank was minting more cash than it had received hash collisions for. (Say by publishing the collisions, and making it possible to publically verify the quantity of cash in circulation). But if you've got multiple banks then you've got to have an exchange mechanism. The market could probably take care of this, setting exchange rates based on banks reputations. However it would be nicer to have something which required no trust and which had no posssibility of cheating rather than relying on reputation to sort them out.
Think about it this way. Personal computers didn't really start to kill mainframes until they were networked into mainframes and could hoover data out of them with impunity, and out-process the information. Excel killed 123 that much quicker because it could read .WK1 files transparently, macros and all, and then do much more with it. Soon, this upcoming "protocol conversion", between the net world of bearer certificates and the meatspace world of book-entries, will be done by a financial trustee.
The problem with anonymous ecash to continue your metaphor is that .WK1 files also happen to be illegal or surrounded by huge amounts of banking regulations. So even though the new system is better the negative forces acting against so far have succeeded in stifling it. One of the negative forces also is user stagnation, people are used to cheques and credit cards, even if they are inefficient and prone to fraud. Adam -- Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
At 5:09 am -0400 on 4/30/97, Adam Back wrote:
No offense Bob, but your pose takes some reading, too full of <vogueing> ^^^^ Freudian slip? </vogue> metaphors,
Consider yourself yet another victim of this philosophy major's penchant for WFFy reason-by-analogizing (Wow. Almost as good as jya there... <jya-as-Elvis>Thankyewverramuch</Elvis>).
but I grok what you're saying, and the topic discussed here I find interesting.
Glad to oblige...
How about this, rather than interface your ecash system with US dollars yourself through credit cards/ debit cards/ cheques / cash, just set up an entirely disconnected system.
Nah. I want to have real money backing it up. Any attempt to make money less negotiable reduces its usefulness. Remember the Soviet Ruble? An extreme example in the opposite direction, surely, but you get the idea.
You may remember the digicash trial mint. It was monopoly money, theoretically it was worthless. However people were selling freebees for it (the odd T-shirt, cap etc), plus images, programs. Also it was collectable in the sense that there was a limited mint.
Yup. Remember, it was Rich Lethin and I who set up ecm@ai.mit.edu, which was a market where those digital cash certificate could be exchanged for cash. Lucky Green sold the first ones, and Mark Grant(?) even put up a web page to simplify things, using the list as a "tickertape" to announce trades. All of which actually proves my point. Because the market actually *did* route around the lack of exchangeability. It's much better, of course, to build exchangeability into a digital bearer certificate market from the outset. Money's supposed to be negotiable, after all. :-). What we have here is more a question of a business model rather than a problem with cryptographic protocol.
However this means you've got to trust the bank not to mint unlimited amounts of money for it's own use.
Right. That's why you have a separate trustee holding the reserve capital. Again, it's using the right business model, and not necessarily cryptography, which makes a market happen. Blind signatures and hash collisions are necessary, but not sufficient, for the market to exist. Anyway, in the first stages, I claim a trustee should be an actual, real, um, "hoity-toity", bank. In the same way that SET and Cybercash and ATM machines "blind" their transactions through the host bank onto a settlement network to the customer's own bank, there can be sufficient blinding of the transaction through the trustee so that the only thing the trustee sees is a confirmation to pay and a settlement wire from the cash purchaser's bank. Of course, at some point, the trustee can just hold other bearer certificates instead of keeping the issuer's reserves in book-entry assets. When there are other bearer certificates to hold, anyway... How you issue those certificates mechanically is not nearly as important as the fact that you *can* issue them uniquely. Ideas like hashcash and micromint work real well for very small transactions, for example, precisely because of the cost to generate the first one in the series, which forces you to print a whole bunch of subsequent ones to pay for the computational resources you've used. However, once again, um, no offense, what cryptographic protocol you use to generate the certificate is the functional equivalent of <analogy-warning> doodling, the process which makes those complex graphic fills on paper currency which were designed to moire up any attempt to photoengrave a certificate copy. </analogy> The point is, you need cryptography for a digital bearer certificate market, but it's not sufficient to create that market.
But if you've got multiple banks then you've got to have an exchange mechanism. The market could probably take care of this, setting exchange rates based on banks reputations.
Exactly. For instance, (hint, hint) if someone were to build Eudora/Netscape/Quicken plugins for FSTC electronic checks, and a plug-and-play deposit server for banks to receive them and convert them into ACH transactions, who says you need the ACH system to settle the checks anymore? All the different bank servers could just clear against themselves on the net at some point, cutting their ACH fees out completely. Someday.
However it would be nicer to have something which required no trust and which had no posssibility of cheating rather than relying on reputation to sort them out.
Actually, I think there is no such thing as finance without reputation. :-). I'd be very interested to see how you can prove otherwise...
The problem with anonymous ecash to continue your metaphor is that .WK1 files also happen to be illegal or surrounded by huge amounts of banking regulations. So even though the new system is better the negative forces acting against so far have succeeded in stifling it.
Nah. Reality is not optional. :-). Ask all the former 30xx COBOL-jocks out there. Remember, crime is orthogonal to technology. Bank robbery (these days, anyway) is an artifact of automobile and firearm technology. The other uses for automobiles are <metaphor-warning> cetacean in comparison to the krill of "automobile crimes" like bank robbery </metaphor>. Firearms, unfortunately, are in the same boat. Like nuclear power, we have bans on guns because we can "afford" to have them. People don't hunt for food anymore. I think that's why heavily populated countries have fewer guns. You don't need them to eat, and even if you did, you'd starve, because all the food was hunted out long ago... BTW, it seems to me that hoplophobia, like innumeracy, is practically a luxury. At least until <analogy-warning> the state shows up at your door in black pajamas and asks you to put on some orange ones of your own for this cool sleepover they're having a few miles out of town </analogy>.
One of the negative forces also is user stagnation, people are used to cheques and credit cards, even if they are inefficient and prone to fraud.
I, for one, think the whole concept of "path dependency" is bunk, but let's not clog the list with discussions of roman wheel ruts, QWERTY keyboards, and the devine right of Windows... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/
Bob Hettinga <rah@shipwright.com> writes:
[metaphors, <html tags> snipped, do you _have_ to :-)]
Adam Back <aba@dcs.ex.ac.uk> writes:
How about this, rather than interface your ecash system with US dollars yourself through credit cards/ debit cards/ cheques / cash, just set up an entirely disconnected system.
Nah. I want to have real money backing it up. Any attempt to make money less negotiable reduces its usefulness. Remember the Soviet Ruble? An extreme example in the opposite direction, surely, but you get the idea.
It's not an attempt to make money less negotiable, though this is of course the effect. It's just another approach to avoiding the banking regulations. As you admit the market will take care of the exchange mechanism, it just adds inconvenience in locating the exchange mechanisms, and the stigma that the mechanisms are not official.
However this means you've got to trust the bank not to mint unlimited amounts of money for it's own use.
Right. That's why you have a separate trustee holding the reserve capital.
So now you get to trust the trustee. Doesn't seem like a big improvement.
Anyway, in the first stages, I claim a trustee should be an actual, real, um, "hoity-toity", bank. In the same way that SET and Cybercash and ATM machines "blind" their transactions through the host bank onto a settlement network to the customer's own bank, there can be sufficient blinding of the transaction through the trustee so that the only thing the trustee sees is a confirmation to pay and a settlement wire from the cash purchaser's bank.
I don't think VISA and friends want anonymous settlement, they like comprehensive transaction logs to keep people like FinCEN happy. You're not suggesting that SET offers anonymity are you? Anyway, I'm not against this initial approach necessarily. Once you've got one non-anonymous electronic payment system with low entry costs to obtaining both a merchant and a purchaser, and is widely accepted, you can boot strap an anonymous payment system off it. The net model is that it should be that a merchant and a customer account are the same, and can be had by filling in a web page in real time. However, aren't they trying to make big bucks out of merchant accounts? Will SET and Cybercash make it easier to be a merchant than it is to be a VISA merchant? Becoming a credit card merchant is a rather onerous expensive, slow process I hear.
Of course, at some point, the trustee can just hold other bearer certificates instead of keeping the issuer's reserves in book-entry assets. When there are other bearer certificates to hold, anyway...
You lost me there. Above you described the trustee's function as holding the ability to issue money to keep the bank honest. What _is_ a bearer certificate in this discussion? A digitally signed share certificate, or other representation of an unit of value? Who issues the bearer certificates? What does possesion of the bearer certificate represent in terms of ownership of assetts?
How you issue those certificates mechanically is not nearly as important as the fact that you *can* issue them uniquely. Ideas like hashcash and micromint work real well for very small transactions, for example, precisely because of the cost to generate the first one in the series, which forces you to print a whole bunch of subsequent ones to pay for the computational resources you've used.
Actually it's micromint which has the threshold function feature through use of k-way hashes, my hash cash is quite simple, and probably impractical to use as a basis for a currency you wished to connect to a real currency. There is a cost of printing hashcash coins, which can be made high (say a weeks CPU for a P100), but basically anyone can mint all the money they have CPU power for. This is interesting for throttling systematic abuse of limited net resources, and combining with a digicash system you could have transferability as well as anonymity. However the stability of the money supply is probably not up to it. It's kind of like allowing anyone to print money, but making it cost them in time only; the resources they already have.
However, once again, um, no offense, what cryptographic protocol you use to generate the certificate is the functional equivalent of <analogy-warning> doodling, the process which makes those complex graphic fills on paper currency which were designed to moire up any attempt to photoengrave a certificate copy. </analogy> The point is, you need cryptography for a digital bearer certificate market, but it's not sufficient to create that market.
You think you can create a digital bearer certificate market on the back of your architecture of issuers, and trustees. I don't see a great difference between this and a traditional bank. How is it going to reduce the per transaction overhead, and how is it in any way distributed. (I presume your term "geodisic" refers to a distributed value transfer system).
But if you've got multiple banks then you've got to have an exchange mechanism. The market could probably take care of this, setting exchange rates based on banks reputations.
Exactly. For instance, (hint, hint) if someone were to build Eudora/Netscape/Quicken plugins for FSTC electronic checks, and a plug-and-play deposit server for banks to receive them and convert them into ACH transactions, who says you need the ACH system to settle the checks anymore? All the different bank servers could just clear against themselves on the net at some point, cutting their ACH fees out completely. Someday.
What is an ACH transaction? A electronic bank clearing protocol? FSTC is Financial Securities Trading... electronic checks? Isn't this going to be just another electronic check, with full transaction log, and associated overhead, banking regulations giving banks enough effective monopoly to charge high handling fees? I don't find electronic checks that interesting. What we want is fully anonymous, ultra low transaction cost, transferable units of exchange. If we get that going (and obviously there are some people trying DigiCash, and a couple of others), the banks will become the obsolete dinasaurs they deserve to become. I think this would be a good outcome, and I'd rather see this happen than see anyone go to any great effort to get the banks involved. Let them stick to electronic "cash" systems (what a misuse of the word) based on credit cards and checks. See how that survives against _real_ distributed electronic cash with transaction costs 10 to 100 times lower, with 0 red tape barriers to entry for both sellers and buyers. This is what I find interesting. The net is becoming more and more important as an mechanism for information exchange in it's own right. This is why I think just cutting the ties with the physical world and having a payment system working now would be interesting. Deployment wins and all that. Hashcash is completely distributed; there is NO bank. You can not forge hash cash, you can not double spend hash cash. You can print as much hashcash as you have CPU time for. You can resell hashcash for real money on an unoffical exchange, or trade hashcash for different services.
However it would be nicer to have something which required no trust and which had no posssibility of cheating rather than relying on reputation to sort them out.
Actually, I think there is no such thing as finance without reputation. :-). I'd be very interested to see how you can prove otherwise...
I don't see any particular inherent reason why an electronic payment protocol can't be designed which requires no trust of the bank; at least it should be possible to arrange it so that the bank minting funds for it's own use will be detected. All you need is that the protocol is publically verifiable. Digicash already prevents double spending through the database of protocoins. Adam -- Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
At 10:07 AM -0700 5/2/97, Robert Hettinga wrote:
Yup. But the neat thing about them is they take pennies to clear, instead of quarters for paper checks. The other thing is, they're peer-to-peer. Credit cards aren't, remember? When was the last time you sold a car or house and took MasterCard in payment. :-).
Carlsen Subaru in Palo Alto has signs in their sales offices notifying people that their agreement with their bank prevents them from taking credit cards in payment for cars. ------------------------------------------------------------------------- Bill Frantz | God could make the world | Periwinkle -- Consulting (408)356-8506 | in six days because he did | 16345 Englewood Ave. frantz@netcom.com | not have an installed base.| Los Gatos, CA 95032, USA
At 11:08 AM -0800 5/3/97, Robert Hettinga wrote:
At 3:10 am -0400 on 5/3/97, Bill Frantz wrote:
Carlsen Subaru in Palo Alto has signs in their sales offices notifying people that their agreement with their bank prevents them from taking credit cards in payment for cars.
Hmmm. The operative concept in my paragraph was "peer-to-peer". I should have put "personally" in the last sentence, in between "you" and "sold", and it would have been much clearer.
By the way, back when I was pond scum in Morgan Stanley's cage in Chicago, American Express Gold Cards had just come out. About the first month they were out, a commodities trader showed up at a local Rolls dealership and offered to pay for a brand new Corniche with one.
The sales manager smiled, said "Yes sir", went to the phone, called Amex, and took the card.
Probably apocryphal, but, hey, it's a great story.
I'm sure things like this happen every day. As I mentioned just several days ago, I bought a Ford Explorer a few years ago and put it on my VISA card. A Corniche costs a few times more, but the principle is the same. How large a purchase a user can put on his card depends on two things: his credit line (and/or issuer policy) and of course the policies of the other party. For some, their limit is $500, maybe even less. For others, like "Gold" or "Platinum" or "Plutonium" card holders, the numbers are much higher. In my case, I can spend up to my maximum margin account borrowing level, currently at about 50% of the value of my margin account (my stocks, investments, etc.). So, I could use my VISA card to buy a geodesic dome in this geodesic economy. Not that I'd want to. --Tim May There's something wrong when I'm a felon under an increasing number of laws. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
Well, the consequence of book-entry transactions, of course, is the interference of the nation-state, because that's your anti-repudiation mechanism. Book-entry banks need nation-states, or force monopolies of somekind, to exist.
I disagree. Book-entry banks need some kind of fairly reliable dispute resolution mechanism, but it doesn't need to be a force monopoly. If you happen to have a nation-state just lying around to be used, banks will be happy to use them, because they're more convenient for wide-area business than Mafia enforcers, probably cheaper, and can be more dependable and predictable, though your mileage may vary. If you have relatively dependable identities, you can run a reputation system without relying on governmental or private violence providers; it's probably less expensive, but also less effective in most communities, so the risk of losing money may make it less attractive than governments. If people know that nobody will take their checks if they bounce them and don't make good, and know they won't get any credit, and know that the merchants are all on the Grapevine, they'll generally be honest*. If identities are fluid, and you're willing to keep creating and burning them, you can sometimes get away with reneging on obligations, but people are less likely to trust you if they don't know you - so they'll want to see certified e-checks from well-known banks. I tend to view book-entry systems as an effect of an economy that uses credit to fund business ventures; you can call the book entries "bonds" or "stocks", but book-entry is the obvious way to keep track of either one. Sure, you could do things like split all revenues on receipt, but book-entry is probably still easier. [*Honest people will generally be honest anyway, which is most people in most cultures, but that doesn't mean they'll be good enough at planning to pay off their loans on time, especially if they're using the money for risky activities such as farming or software development... On the other hand, violence providers aren't always good at extracting payments from people who really don't have the money any more.] # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)
At 5:37 am -0400 on 5/2/97, Adam Back wrote:
It's not an attempt to make money less negotiable, though this is of course the effect.
Say no more. :-).
It's just another approach to avoiding the banking regulations. As you admit the market will take care of the exchange mechanism, it just adds inconvenience in locating the exchange mechanisms, and the stigma that the mechanisms are not official.
The model I've been talking about, with a trustee bank holding the book-entry assets for the certificates on the net does exactly this, without the "inconvenience" of avoiding banking regulations. :-). Occam's razor.
So now you get to trust the trustee. Doesn't seem like a big improvement.
Again, you can't have finance without trust. Fortunately, in cypherspace, reputation is orthogonal to identity. No problem. You have identified accounts for the underwriters, but you have unidentified users (once the certificates are on the net) of the cash itself.
I don't think VISA and friends want anonymous settlement, they like comprehensive transaction logs to keep people like FinCEN happy. You're not suggesting that SET offers anonymity are you?
By definition, VISA *can't* have anonymous settlement. Modulo anonymous secured credit accounts, with a tip of the metaphor to Duncan and Co. And, frankly, FinCEN *itself* can't control a bearer certificate economy, and it *knows* so. If digital bearer certificates do prove to be, say, 100 times as efficient to use as book entries, particularly on ubiquitous geodesic public networks, then FinCEN will be able monitor what comes on and off the net, but will simply have to <analogy> stand back and let the net.commerce train go by </anology>. The assistant director of FinCEN as much as admitted this, on a panel I was on, last fall at the Institute (nee' Office) of Technology Assessment's conference on the regulation of digital cash. Again, folks, this is how to win the crypto fight. Just as faster shipping killed the idea of royal charters and mercantilism in favor of lazzez faire capitalism, so to will financial cryptography kill book-entry control structures and taxation. As far as SET goes, the only feature in SET that I care about, and Cybercash has this also, is the ability to "tunnel" transaction messages through the merchant to the card issuer. I claim the same kind of protocol can be used to tunnel, an ATM message, through the underwriter, and the trustee, to the cash purchaser's home bank for authentication. That's all.
Anyway, I'm not against this initial approach necessarily. Once you've got one non-anonymous electronic payment system with low entry costs to obtaining both a merchant and a purchaser, and is widely accepted, you can boot strap an anonymous payment system off it.
Precisely. It's an intermediate form. A profitable intermediary form, just like those proto-wings on those pond-skimming insects. See why the metaphor is useful?
The net model is that it should be that a merchant and a customer account are the same, and can be had by filling in a web page in real time. However, aren't they trying to make big bucks out of merchant accounts.
I'm not sure what the above means...
Will SET and Cybercash make it easier to be a merchant than it is to be a VISA merchant? Becoming a credit card merchant is a rather onerous expensive, slow process I hear.
Right. However, this isn't like a credit card. You can almost liken an underwriter to an ATM machine, except that it "prints" cash on the spot. Yes, I know, the blinding takes place at the purchaser's machine, but the certificates don't become *negotiable* until the underwriter signs them. (That, by the way, is why you have to honor patents, because the underwriter and the trustee, for the time being, are identified, litigable, meatspace entities. The nice thing is, though, the users of the certificates are *impossible* to identify.) Anyway, the point is, modulo licensing the blind signature patent, which Digicash should do, and probably won't (this week, anyway), being an actual underwriter is more a question of marketing than anything else. Anyone with a 486 (the original mint ran on one of these) and a full-time internet feed could do it. Takes a little more work to be a bank. Part of that work is adhering to all that meatspace regulation, but, frankly, holding the float account is no different from holding any other trust account. That, as they say in the Great White North, is the beauty part. Much easier than growing a mouse in a beer bottle, eh?
You lost me there. Above you described the trustee's function as holding the ability to issue money to keep the bank honest. What _is_ a bearer certificate in this discussion? A digitally signed share certificate, or other representation of an unit of value?
The trustee holds assets, in trust, which are used to capitalize the digital bearer certificates issued the underwriter. For instance, in the corporate bearer bond market, there were three people involved in issuing the bond, besides the eventual purchaser of the bond. There was the corporation, like IBM, or GE, or US Steel, say, which was issuing the bond. There was the underwriter, an investment bank, in other words, who sold the bond into the primary market, usually to brokers who in turn sold them to their clients. There was the trustee, a bank who actually handled the cash payments from the issuing corporation to the holders of the bond, and technically worked on behalf of the bond holders. On the day the interest was payable, the corporation cut a check to the trustee, who in turn cut checks to people who mailed in the little coupons they clipped off the bond every quarter. In the case of a book-entry trustee, the underwriter markets digital bearer certificates, cash in this case, to the public, in exchange for a book entry asset, money transferred through the ATM/Swift system to the underwriter's collateral account at the trustee bank. The money sits at the trustee bank until someone takes that money off the net by exchanging a digital bearer certificate for an ATM deposit transaction to the redeemer's bank. Now, sometime in the future, when there are other assets in bearer form on the net besides cash, like digital bearer bonds, or digital bearer stock, or commodities contracts, or derivatives thereof, it's easy to see how you could create a trustee which holds *those* kinds of assets instead of deposits on account somewhere in meatspace. In fact, I claim, because identity and reputation are orthogonal in cypherspace, that such a trustee, and thus, every party in the underwriting process, including the underwriter, *and* the development of any future bearer certificate cryptographic protocol, can be *anonymous*, that is, identity-free. Though, of course, they'd all have to use perfect pseudonyms.
Who issues the bearer certificates?
The underwriter.
What does possesion of the bearer certificate represent in terms of ownership of assetts?
The face value of the digital bearer certificate. For example, with a traveller's check, you buy at a premium, so that the person you give the check to can redeem them at face value, or "par", in bond language. Yes, unless the agreement between you and the issuer, as enforced by the trustee, specifies that the certificate must be backed up one for one by the assets in the reserve account, held by the trustee bank, then the issuer has the right to take some of that money and invest it in something else, and not just take the interest it accrues while it sits in the trustee's account. For the most part, the particulars about what that money is used for will be subject to market constraints. For instance, if money goes onto the net and stays there and never leaves, then, in an effort to compete, an issuer might offer lower issuing fees, even discounting the price of the certificates at issue, because he's going to make it up eventually, in the interest and other returns he gets for investing some or all of that money. However, all that's probably too messy to mess around with here. If you're interested, ( a little bond humor, there), go dig up a book on corporate finance (Brealy and Meyers was a good one, once), or fixed income mathematics (Fabbozzi's was the best, last time I looked).
Actually it's micromint which has the threshold function feature through use of k-way hashes, my hash cash is quite simple, and probably impractical to use as a basis for a currency you wished to connect to a real currency. There is a cost of printing hashcash coins, which can be made high (say a weeks CPU for a P100), but basically anyone can mint all the money they have CPU power for. This is interesting for throttling systematic abuse of limited net resources, and combining with a digicash system you could have transferability as well as anonymity. However the stability of the money supply is probably not up to it. It's kind of like allowing anyone to print money, but making it cost them in time only; the resources they already have.
It's exactly like that, and that's why I find the idea so attractive. :-).
You think you can create a digital bearer certificate market on the back of your architecture of issuers, and trustees. I don't see a great difference between this and a traditional bank.
That's the point. Reality, financial or otherwise, is not optional. :-).
How is it going to reduce the per transaction overhead, and how is it in any way distributed. (I presume your term "geodisic" refers to a distributed value transfer system).
The geodesity happens on the other side of the trustee. On the net itself. Once you get the money on the net, you can do all *kinds* of fun things there with it, and, eventually, it'll never have to leave, because, I claim, all financial assets, (stocks, bonds, notes, commodities contracts, derivatives) will be held in digital bearer form someday. It'll be too cheap not to. <beating-a-metaphor-like-a-dead-horse-mode> What we're doing at first is creating financial pond skimmers, net-based entities, in the same way that pond skimmers are air-based entities, who use financial cryptography and digital bearer certificates as proto-wings to aerodynamically flit around on the surface tension of the existing hierarchical book-entry finance system. Waterborne predators, like FinCEN, can't catch them, and the predators don't care, really. Because, sooner or later, these pond skimmers will have to breed (take the money off the net), which means laying eggs in the water, and, of course, that's where the larval pond skimmers live. :-). Of course, evolution on the net is much faster than real life. So, someday, soon, those financial cryptography pond skimmers will have wings and not rely on surface tension (book-entries) at all, and, someday after that, they won't even need water(meatspace) to hatch into. By that time, obviously, there'll be a whole *new* class of predators to worry about, but they haven't even been invented yet. </dead-horse>
What is an ACH transaction? A electronic bank clearing protocol? FSTC is Financial Securities Trading... electronic checks?
ACH: Automated Clearinghouse. FSTC: Financial Services Technology Consortium.
Isn't this going to be just another electronic check, with full transaction log, and associated overhead, banking regulations giving banks enough effective monopoly to charge high handling fees?
Yup. But the neat thing about them is they take pennies to clear, instead of quarters for paper checks. The other thing is, they're peer-to-peer. Credit cards aren't, remember? When was the last time you sold a car or house and took MasterCard in payment. :-).
I don't find electronic checks that interesting.
Yeah. You're a "wings" person. So am I, obviously. However, I think of FSTC (or any other) electronic checks, or Cybercash/coin, or even FV, and barely, SSL/SET, as "legs" which are just long enough to let the surface tension of the banking system hold us up, so we can do transactions in cypherspace.
What we want is fully anonymous, ultra low transaction cost, transferable units of exchange.
Amen.
If we get that going (and obviously there are some people trying DigiCash, and a couple of others), the banks will become the obsolete dinasaurs they deserve to become.
Wellll... Depends on what you call a "bank" I suppose. I would claim that, more than anything else, a trustee in my model is a bank, whether its assets are digital bearer or not. I won't quibble with you about it, though. A bank is a type of financial intermediary. Someone who risks reputation in return for interest, or other profit of somekind. You can't have finance, and thus trade and economics, without financial intermediaries. Might as well call some kinds of them "banks", whether they live on the net or not.
I think this would be a good outcome, and I'd rather see this happen than see anyone go to any great effort to get the banks involved. Let them stick to electronic "cash" systems (what a misuse of the word) based on credit cards and checks. See how that survives against _real_ distributed electronic cash with transaction costs 10 to 100 times lower, with 0 red tape barriers to entry for both sellers and buyers.
Well, the consequence of book-entry transactions, of course, is the interference of the nation-state, because that's your anti-repudiation mechanism. Book-entry banks need nation-states, or force monopolies of somekind, to exist. However, the net represents a whole new financial biome, if you will. A biome where book-entries, like fins, are too slow to fly with. :-).
The net is becoming more and more important as an mechanism for information exchange in it's own right. This is why I think just cutting the ties with the physical world and having a payment system working now would be interesting.
Certainly the sooner the better. However, you still have to get those assets on the net in negotiable form. That's why you need to use good old fashioned book-entry banks to make your assets negotiable. It's like punching paper numbers into a spreadsheet when you can download a file from the mainframe. Yes. Mainframes sucked. But that's where the data was.
Deployment wins and all that. Hashcash is completely distributed; there is NO bank. You can not forge hash cash, you can not double spend hash cash. You can print as much hashcash as you have CPU time for. You can resell hashcash for real money on an unoffical exchange, or trade hashcash for different services.
Way cool. So, how, if you're going to issue hashcash denominated in dollars, are you going to convert them into actual dollars? Are you going to put up a physical deposit window and take in bills somewhere? :-). Wouldn't it be nice for someone to swipe their ATM card into a reader on their machine using your web page, and get hashcash? To do that, you need a trustee bank.
I don't see any particular inherent reason why an electronic payment protocol can't be designed which requires no trust of the bank; at least it should be possible to arrange it so that the bank minting funds for it's own use will be detected. All you need is that the protocol is publically verifiable. Digicash already prevents double spending through the database of protocoins.
You might not have to trust the bank. But you do have to trust a financial intermediary of some kind. In finance, more often than not, that entity is called a "bank", for lack of a better term. Again. You can't have finance, and thus trade and economics, without reputation. Trust, in other words. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/
At 3:10 am -0400 on 5/3/97, Bill Frantz wrote:
At 10:07 AM -0700 5/2/97, Robert Hettinga wrote:
Yup. But the neat thing about them is they take pennies to clear, instead of quarters for paper checks. The other thing is, they're peer-to-peer. Credit cards aren't, remember? When was the last time you sold a car or house and took MasterCard in payment. :-).
Carlsen Subaru in Palo Alto has signs in their sales offices notifying people that their agreement with their bank prevents them from taking credit cards in payment for cars.
Hmmm. The operative concept in my paragraph was "peer-to-peer". I should have put "personally" in the last sentence, in between "you" and "sold", and it would have been much clearer. By the way, back when I was pond scum in Morgan Stanley's cage in Chicago, American Express Gold Cards had just come out. About the first month they were out, a commodities trader showed up at a local Rolls dealership and offered to pay for a brand new Corniche with one. The sales manager smiled, said "Yes sir", went to the phone, called Amex, and took the card. Probably apocryphal, but, hey, it's a great story. The point is, you and I can't take Amex when we sell our used Honda off our driveway. We do, however take a certified check or cash. When we can sell our work over the net for checks and cash, the world better look out. :-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/
At 3:37 pm -0400 on 5/4/97, Tim May wrote:
So, I could use my VISA card to buy a geodesic dome in this geodesic economy. Not that I'd want to.
No you couldn't. If you wanted to. :-). In a geodesic economy, things will settle for bearer cash, unless you borrow money to pay for them, and even then the loan will be a bearer certificate loan, and not a book-entry loan like a VISA card is. Ignoring for the time being that you're using a floatless "loan" when you buy something with a VISA card... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/
At 4:55 pm -0400 on 5/12/97, Bill Stewart wrote:
Book-entry banks need some kind of fairly reliable dispute resolution mechanism, but it doesn't need to be a force monopoly. If you happen to have a nation-state just lying around to be used, banks will be happy to use them, because they're more convenient for wide-area business than Mafia enforcers, probably cheaper, and can be more dependable and predictable, though your mileage may vary.
A force monopoly by any other is a nation state or is busy becoming one, to mangle a few literary allusions.
If you have relatively dependable identities, you can run a reputation system without relying on governmental or private violence providers; it's probably less expensive, but also less effective in most communities, so the risk of losing money may make it less attractive than governments.
Certainly the New York diamond market works this way. As do the NYSE, NASD, Lloyds, etc. Eric Hughes called them "clubs". Reputation clubs, if you will. The problem comes when your business is so large and centralized (because of the hierarchical nature of networks where you have very expensive human information "switches") that you can't know who you're dealing with. Then it's easier to beat up on people who make the wrong book-entries. By the way, most of these reputation clubs function best where you have peer-to-peer trading contact. Geodesic markets, in other words. Which, of course, is why geodesic markets with strong persistant cryptographic repuations will probably go to things like reputation clubs, or at least with on-line reputation registries operating much like Standard and Poor's or Moody's or Dun and Bradstreet work today.
If people know that nobody will take their checks if they bounce them and don't make good, and know they won't get any credit, and know that the merchants are all on the Grapevine, they'll generally be honest*. If identities are fluid, and you're willing to keep creating and burning them, you can sometimes get away with reneging on obligations, but people are less likely to trust you if they don't know you - so they'll want to see certified e-checks from well-known banks.
That's true. However, and of course no one has proven this yet, I think that all the offsetting book-entries cost much more than a spent-certificate registry.
I tend to view book-entry systems as an effect of an economy that uses credit to fund business ventures; you can call the book entries "bonds" or "stocks", but book-entry is the obvious way to keep track of either one.
Not at all. Before mainframe computing, and certainly before telegraphy, all debt was held in unregistered, bearer certificate form. The bookeeping load for modern registered shareholder book-entry settlement was impossible to maintain. I claim that, now that we have bearer certificates in digital form, the cost advantage of electronic digital bearer settlement over electronic book-entry settlement will eventually kill the later off economically.
Sure, you could do things like split all revenues on receipt, but book-entry is probably still easier.
I'm not sure I understand this sentence.
[*Honest people will generally be honest anyway, which is most people in most cultures, but that doesn't mean they'll be good enough at planning to pay off their loans on time, especially if they're using the money for risky activities such as farming or software development... On the other hand, violence providers aren't always good at extracting payments from people who really don't have the money any more.]
People are honest primarily because it's too much physical effort to be otherwise. Consistantly lying takes up too much memory, for instance. :-). The nice thing about digital bearer settlement, is that it allows you to be honest without telling potentially hostile people everything you do. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
participants (6)
-
Adam Back -
Bill Frantz -
Bill Stewart -
Lucky Green -
Robert Hettinga -
Tim May