Re: The future will be easy to use
On Mon, 27 Nov 1995, James A. Donald wrote:
You are making the same erroneous assumption that Phil made when he designed the Web of trust: You assume that it is important and interesting to link key ID's to physical bodies. This is usually not the case: Linking key ID's to home web pages etc is not only easier -- it is also usually more interesting and important.
At 02:46 PM 11/29/95 -0500, Jon Lasser wrote:
Not if you're encrypting a Credit Card transaction to ship physical goods. In that case, I'm going to certainly want to link a key ID to a physical body (or at least address) if I'm the seller, so as to limit liability as best I can.
Not at all: All you need to do is be able to prove you shipped to the address requested: You do not have to know what the relationship is between the address requested and identity paying you to ship.
However, if you have optional linking of ID and name, shippers will only ship to keys with such attributes. Because just ID and address, it could be a "hit and run" type attack shipped to a safe maildrop.
This argument makes no sense at all: I am going to attack my enemies by paying people to send books, computers, and stuff to them? --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd@echeque.com
Jon Lasser writes:
However, if you have optional linking of ID and name, shippers will only ship to keys with such attributes. Because just ID and address, it could be a "hit and run" type attack shipped to a safe maildrop.
People who steal credit cards prefer to order goods to be delivered somewhere they can grab them. (Often this is just the front of the rightful owner's home, while Holly the Homeowner is off at work.) But that's just another reason to cut down unauthorized credit card charges, not a reason to restrict what a rightful cardholder can do with the card. I _want_ to be able to have stuff delivered to arbitrary locations, and I _don't_ want to give that up just to make it tough on thieves. James Donald writes:
This argument makes no sense at all: I am going to attack my enemies by paying people to send books, computers, and stuff to them?
Ordering hardcore porno videos to be sent to, say, somewhere in Tennessee might work pretty well in our sadly repressed society. -Futplex <futplex@pseudonym.com>
futplex@pseudonym.com (Futplex) writes:
People who steal credit cards prefer to order goods to be delivered somewhere they can grab them.
For most goods, yes. But one could use a stolen credit card, e.g., to set up an account on AOL / CompuServe and download tons of software, charging it to the card. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
On Thu, 30 Nov 1995, Dr. Dimitri Vulis wrote:
futplex@pseudonym.com (Futplex) writes:
People who steal credit cards prefer to order goods to be delivered somewhere they can grab them.
For most goods, yes. But one could use a stolen credit card, e.g., to set up an account on AOL / CompuServe and download tons of software, charging it to the card.
<Flamebait> Or c2.org, which might then make things interesting if the theft is detected. (in a very perverse, and tooth-gnashingly aggravating way, of course). Would Sameer cooperate with the LEAs to catch "an anonymous suspect using his service"? What if it's an ecash password getting stolen? Who's liable? (lemme guess, your money's gone, tough luck!) What if you're just a dumb gullible computer newbie who trusts ecash for its vaunted security? "But how was I supposed to know that if I let someone surf my shoulder, I'd lose my bank account!?" I'd say buyer beware! but he'd sue and the public will want a law ("Damn it, consumers have to be PROTECTED!"). Credit only has $50 worth of risk, most people are more interested in keeping their $ than their privacy. Just look at the number of them who enter contests. </Flamebait> Disclaimer: I don't have a marktwain account at the moment, so I can't say a thing about the security of the system. I wish them the absolute best of luck.
Or c2.org, which might then make things interesting if the theft is detected. (in a very perverse, and tooth-gnashingly aggravating way, of course). Would Sameer cooperate with the LEAs to catch "an anonymous suspect using his service"?
Community ConneXion will comply with all properly formed court orders and subpeonas. We will *not* cooperate without court intervention. (I.e. Mr. FBI calls up and says "can you help us find this suspect"? I respond "got a subpoena?") -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer@c2.org
On Thu, 30 Nov 1995, sameer wrote:
Community ConneXion will comply with all properly formed court orders and subpeonas. We will *not* cooperate without court intervention. (I.e. Mr. FBI calls up and says "can you help us find this suspect"? I respond "got a subpoena?")
But it's not quite that simple, Sameer. Don't underestimate the more subtle forms of non-cooperation you can engage in. To use the most obvious example, different remailer operators turn different levels of logging on. So one operator will say "Yes, I am obligated to fully comply with your subpoena, officer. Here are the full logs for the last six months." And another will say "Yes, I am obligated to fully comply with your subpoena, officer. However, I keep no logs at all of the mail sent through my remailer. Drag, huh?" Being the eternal pessimist, I once again point out that the government will try to stop cryptoanarchy any way they can. Their main tool is the law, and they WILL use it eventually when all else fails. Personally, I would play it safe by operating on the assumption that basically EVERYTHING will be illegal eventually and "finessing" laws will become more important. In short, they WILL have a subpoena--then what? Of course, I personally would never do anything illegal. --Dave. -- David Mandl Bear, Stearns & Co. Inc. Phone: (212) 272-3888 Email: dmandl@bear.com -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. *******************************************************************************
"finessing" laws will become more important. In short, they WILL have a subpoena--then what?
Then they'll find out that I don't have any information that could help them, anyway. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer@c2.org
On Thu, 30 Nov 1995, sameer wrote:
"finessing" laws will become more important. In short, they WILL have a subpoena--then what?
Then they'll find out that I don't have any information that could help them, anyway.
sameer
yes, and that is where the absurdity of American law enters in, they **charge** you with conspiracy! --or destroying evidence of a crime (by failing to keep logs) --or even better, aiding and abetting the commission of a crime as part of the "chain" of the crime. and, you better believe they do whatever they want. and do not ignore RICO, because if the "alledge" there were six or more conspirators, or participants, they are starting tpo use RICO --and you can go away for life without parole for even a simple "crime." let me put it this way --been there, done that. however, screw'm, if we dont put our asses on the line, not only will America in general not have freedom of speech, but we will not either. I do not necesarily condone the militias, but I certainly will not interfere with their rights it may not be too long before the words of Thomas Jefferson may ring true: the purpose of the militia [a citizens' militia] is to, God forbid, overthrow a state which has become tyrannical. **** **** the government who fears weapons in the hands of its citizens, should! **** ****
On Tue, 28 Nov 1995, James A. Donald wrote:
Not if you're encrypting a Credit Card transaction to ship physical goods. In that case, I'm going to certainly want to link a key ID to a physical body (or at least address) if I'm the seller, so as to limit liability as best I can.
Not at all: All you need to do is be able to prove you shipped to the address requested: You do not have to know what the relationship is between the address requested and identity paying you to ship.
That's if you're accusing the merchant of fraud. I'm positing someone's using a stolen credit card number. (Yes, these will still exist for at least a while after e-cash becomes commonplace). If I'm a merchant, I'm going to really want (if I know it's possible) to ship only to what's been "the address on the card" (or, in reality, in the database under the card's number) so that it's harder (not impossible, harder) for people to defraud me.
However, if you have optional linking of ID and name, shippers will only ship to keys with such attributes. Because just ID and address, it could be a "hit and run" type attack shipped to a safe maildrop.
This argument makes no sense at all: I am going to attack my enemies by paying people to send books, computers, and stuff to them?
No; you're going to steal from your enemies by having them ship things to you without payment. Note that in an ecash economy, this isn't a problem. The original post was about the transition between the current economy and a "cypherpunks" economy, during which I suggested that encryption would be used to protect credit card numbers (and be a "proof of identity" -- which I was claiming wouldn't work without ecash (proof of non-fraud payment)) Jon ------------------------------------------------------------------------------ Jon Lasser <jlasser@rwd.goucher.edu> (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key.
-----BEGIN PGP SIGNED MESSAGE-----
Date: Thu, 30 Nov 1995 12:39:50 -0500 (EST) From: Jon Lasser <jlasser@rwd.goucher.edu>
I'm positing someone's using a stolen credit card number. [...] If I'm a merchant, I'm going to really want (if I know it's possible) to ship only to what's been "the address on the card" (or, in reality, in the database under the card's number) so that it's harder (not impossible, harder) for people to defraud me.
I'm not sure that's the reason, but there are merchants who insist on shipping to the card's billing address. This happens to me when I'm using a credit card by phone, so the merchant has no signature on file. For lack of that proof that I'm me (as opposed to some inmate in a local prison (actual case I heard about)), if they ship goods to the same address that writes the actual check for the goods, there's added safety. For a world with my non-certificates, this is achieved by a pair of attribute statements: - -----BEGIN PGP SIGNED MESSAGE----- Signing-Key-ID: bc2cb00144f223498fcc074eabb821d0 Signed-Key-ID: e05c601c4ec4af3aeb54a53171ed65da Meaning: checking-account: 116 94265, First Security Bank - -----BEGIN PGP SIGNATURE----- [...] signature with First Security Bank's key (bc2cb0...) - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Signing-Key-ID: e05c601c4ec4af3aeb54a53171ed65da Meaning: I receive packages (especially UPS and FedEx) at: Carl Ellison c/o Trusted Information Systems 3060 Washington Road Glenwood MD 21738 (301) 854-6889 - -----BEGIN PGP SIGNATURE----- [...] signature with my key (e05c60...) - -----END PGP SIGNATURE----- The first gives the necessary hook for the merchant to establish that key e05c6... has money to spend, if the merchant feels the need to check. The second establishes a shipping address for that key. Note that the word "I" in the second attribute statement means "the person who knows how to make the attached signature with key (e05c60...)" rather than "Carl Ellison" (although, in this case, they're the same). The shipping address could be anonymous: - -----BEGIN PGP SIGNED MESSAGE----- Signing-Key-ID: e05c601c4ec4af3aeb54a53171ed65da Meaning: I receive USPS packages at: P.O. Box 360 Glenwood MD 21738 - -----BEGIN PGP SIGNATURE----- [...] signature with my key (e05c60...) - -----END PGP SIGNATURE----- - Carl +--------------------------------------------------------------------------+ |Carl M. Ellison cme@tis.com http://www.clark.net/pub/cme | |Trusted Information Systems, Inc. http://www.tis.com/ | |3060 Washington Road PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2| |Glenwood MD 21738 Tel:(301)854-6889 FAX:(301)854-5363 | +--------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBML31ZFQXJENzYr45AQHk1QQAplkBXXZ+tSiBA2B/0FbJtFkYabNJcC7T lkDEG/jZVANhonX5KKRgwKwzg1cfMCAlbbe0s+3HLTMg5yj9Fw4UD/U0mgZ31HGo 16iqbOqoVpknI5qSHVH/p2QMKHb3N1wKOEH3VJc21mkO+5W77p0mXywvW5zJrRHR qllQdZ3Xde0= =UU9f -----END PGP SIGNATURE----- BTW -- I don't have a PO Box at Glenwood. (cme)
participants (9)
-
attila -
Carl Ellison -
David Mandl -
dlv@bwalk.dm.com -
futplex@pseudonym.com -
James A. Donald -
Jon Lasser -
s1113645@tesla.cc.uottawa.ca -
sameer