Re: Jim Bell

[Ray Dillinger]

On Mon, 27 Nov 2000, A. Melon wrote:

>Newby puzzles:
>
>> Right, I agree.
>>
>>But what I'd like to consider is a recipe for "plain ordinary"
>>folk to conspire anonymously to commit murder.
>
>Did you even bother to read AP? RTFM, dude!

Speaking as someone who has very recently read AP, the 
protocol presented therein is incomplete.

I'm collecting protocols, trying to write a reference work 
of them, and, well, I'm most of the way through the A's so 
the other day I looked at Assassination Politics again. 

Since this time I was trying to distill a formal protocol 
specification, I was a lot more critical about fine points.

Bell handwaved on the point of obtaining digital cash for 
paying the assassin with.  Bob the broker can go to the
bank and obtain it in the usual way, of course - but then 
has to transfer it to Alice the assassin, and there's a 
sticky point involved.  If he just "copies" the money to 
Alice, she can double-spend with impunity and it's Bob's 
identity that will be revealed. 

Conversely, if she provides tokens for the bank to sign, 
then Bob has a major problem getting them past the cut-and-
choose protocol at the bank.  Even if she provides enough 
tokens to completely populate the cut-and-choose protocol, 
those tokens still have to have splits of valid identification 
information for somebody in them - and giving them all to 
Bob so that Bob could complete the protocol with the bank - 
would imply that Bob is privy to that information.  Worse, 
the bank will have the information from the cuts it didn't 
choose, and has to make sure it all matches. Thus, Bob the 
Broker and Dave the Banker can identify Alice - or at the 
very least someone whose identification Alice has stolen.  

Finally, Carol the contributor has to have a way to check 
the digital cash that was sent Alice - to make sure Bob 
is not holding out her contribution. This works if Carol's 
original coinage is simply encrypted under the key that the 
successful predictor used - because Carol can perform the 
same computation and make sure that bit string appears in 
the "payment" package.  But then Carol has the same problem 
where Alice can double-spend with impunity and it's Carol's 
identity that will be revealed.  On the other hand, if 
Carol's digital cash is transferred to Bob by protocol, 
there's no way she can recognize it later under encryption.  
(and under commercial digital cash protocols now in use, no 
way Bob can retransfer it to Carol).  So if Bob deposits the 
money and obtains new digital cash, Carol needs a way to 
look at that digital cash and know that it does in fact 
carry the bank's signatures for the proper amounts - she 
can't recognize her own bills, but she can check that the 
total is correct from the last point at which she could.  
But Carol has to be provided this information without 
providing her enough information to just spend the cash 
herself.  

In short, AP as described by Bell appears to depend on 
digital cash having some exotic and not-otherwise-very-
useful properties, including a bank with a protocol that 
allows issue-by-proxy, which has no readily apparent 
commercial use. No protocol for digital cash that I'm 
yet aware of has these properties.  Hence, without some 
major engineering work, and probably the active cooperation 
of some bank, AP as described cannot be implemented.

I think some of these problems could be solved by 
engineering; but A, it would be non-trivial work, and B, 
I don't think I care to waste any effort on figuring out 
secure ways to kill people outside the law.

Bear

Re: Jim Bell

[Tim May]

At 7:16 PM -0800 11/27/00, Ray Dillinger wrote:
>
>Since this time I was trying to distill a formal protocol
>specification, I was a lot more critical about fine points.
>
>Bell handwaved on the point of obtaining digital cash for
>paying the assassin with.  Bob the broker can go to the

There's often "hand-waving" when reasoning about digital cash and how 
it is transferred, spent, redeemed, etc. Bell is not a cryptographer. 
Also, he didn't claim to have built a working system. (I think any of 
us could be called as witnesses to refute a state claim that he was 
deploying a real system!)

However, much of your reasoning below is _also_ hand-waving.

Fortunately, there's a way to cut through it. I'll cover this at the 
end, after your included section (which I would normally snip, but 
won't this time).


>bank and obtain it in the usual way, of course - but then
>has to transfer it to Alice the assassin, and there's a
>sticky point involved.  If he just "copies" the money to
>Alice, she can double-spend with impunity and it's Bob's
>identity that will be revealed.
>
>Conversely, if she provides tokens for the bank to sign,
>then Bob has a major problem getting them past the cut-and-
>choose protocol at the bank.  Even if she provides enough
>tokens to completely populate the cut-and-choose protocol,
>those tokens still have to have splits of valid identification
>information for somebody in them - and giving them all to
>Bob so that Bob could complete the protocol with the bank -
>would imply that Bob is privy to that information.  Worse,
>the bank will have the information from the cuts it didn't
>choose, and has to make sure it all matches. Thus, Bob the
>Broker and Dave the Banker can identify Alice - or at the
>very least someone whose identification Alice has stolen. 
>
>Finally, Carol the contributor has to have a way to check
>the digital cash that was sent Alice - to make sure Bob
>is not holding out her contribution. This works if Carol's
>original coinage is simply encrypted under the key that the
>successful predictor used - because Carol can perform the
>same computation and make sure that bit string appears in
>the "payment" package.  But then Carol has the same problem
>where Alice can double-spend with impunity and it's Carol's
>identity that will be revealed.  On the other hand, if
>Carol's digital cash is transferred to Bob by protocol,
>there's no way she can recognize it later under encryption. 
>(and under commercial digital cash protocols now in use, no
>way Bob can retransfer it to Carol).  So if Bob deposits the
>money and obtains new digital cash, Carol needs a way to
>look at that digital cash and know that it does in fact
>carry the bank's signatures for the proper amounts - she
>can't recognize her own bills, but she can check that the
>total is correct from the last point at which she could. 
>But Carol has to be provided this information without
>providing her enough information to just spend the cash
>herself. 
>
>In short, AP as described by Bell appears to depend on
>digital cash having some exotic and not-otherwise-very-
>useful properties, including a bank with a protocol that
>allows issue-by-proxy, which has no readily apparent
>commercial use. No protocol for digital cash that I'm
>yet aware of has these properties.  Hence, without some
>major engineering work, and probably the active cooperation
>of some bank, AP as described cannot be implemented.

It's simple:

If payer-anonymity (payer is untraceable by the payee) and 
payee-anonymity (payee is untraceable by the payer) exists, then the 
buyers and sellers of some "thing" are untraceable to each other. 
Whether that "thing" is a piece of warez or a bet in a murder pool 
(cf. Jack London for a much earlier discussion that Bell's).

Arguing how complicated or confusing digital cash can be by citing a 
specific market like AP is what I mean by hand-waving.

If, for example, the Mojo Nation folks succeed in making "mojo" both 
payer-anonymous AND payee-anonymous, then all of the hand-waving 
above is beside the point.


>
>I think some of these problems could be solved by
>engineering; but A, it would be non-trivial work, and B,
>I don't think I care to waste any effort on figuring out
>secure ways to kill people outside the law.
>
>   Bear


RTFM.


--Tim May
-- 
(This .sig file has not been significantly changed since 1992. As the
election debacle unfolds, it is time to prepare a new one. Stay tuned.)

Re: Jim Bell

[Declan McCullagh]

At 01:06 11/28/2000 -0500, R. A. Hettinga wrote:
>Hmmm...
>
>Maybe it was Toto's ersatz-AP web page I was remembering, now that I think
>about it, which, of course, Toto *didn't* plead to...

Ah, I think you're right. I don't remember a whole lot of substance backing 
that allegation (it didn't help that it was most certainly baseless), but I 
do remember that being part of the complaint against the other 
"crypto-criminal."

-Declan

Re: Jim Bell

[Alan Olsen]

On Tue, 28 Nov 2000, R. A. Hettinga wrote:

> Maybe it was Toto's ersatz-AP web page I was remembering, now that I think
> about it, which, of course, Toto *didn't* plead to...

But the prosecutors did not quite get the joke. It was quite obvious that
the site was rigged to a small and preselected handful of entries.

Kind of like the last election.

[EMAIL PROTECTED] | Note to AOL users: for a quick shortcut to reply
Alan Olsen| to my mail, just hit the ctrl, alt and del keys.
"In the future, everything will have its 15 minutes of blame."

Re: Jim Bell arrested, documents online

[Eric Cordian]

Alan Olsen wrote:

> I disagree.  I don't believe Jim really was willing to consider 
> the social implications of his scheme.

The implications are that in a society where the government has not made
personal privacy and private communication illegal, you can't be an
asshole to countless millions of people without winding up with a price on
your head.

This seems to be a natural example of the doctrine that people who make
peaceful change impossible, make violent change inevitable.  Clearly, the
remedy here is for people in power to not act like assholes, rather than
to make personal privacy and private communication illegal, as governments
seem wont to do.

> He seemed to think that the only target of this would be the government.

I think this is a reasonable observation.  You really have to be acting
under color of authority to strongly alienate enough people, who have so
litle recourse against you, that millions will bet a buck on your
continued good health in the hopes that an anonymous assassin will prove
them wrong and collect the pot.

> Think about it.  If you had the chance to have people killed without any
> posibility of capture, who would it be?

I can't think of anyone I would have killed.  My personal moral system is
such that I only think it is reasonable to kill someone if they pose an
immediate danger of death or serious injury to oneself, or someone one is
obligated to protect, and retreat is impossible.

However, I recognize that the world contains many people with different
ethical codes, and if they want to issue a Fatwah at the drop of a hat,
that is their business and not mine.

> I think that there are more people out there who would go after Bill
> Gates or John Tesh than there would for various little known public
> officials. (This could be a case where fame could have an even bigger
> downside. About six feet down.)

Oh come now.  You have real recourse against Bill Gates and John Tesh
short of killing them.  Bill Gates and John Tesh don't claim they have
God's authority to kill you if you don't do what they say.  They don't
order your house raided, and your children terrorized at gunpoint.  They
don't force you to choose between going to prison or going to war.  They
don't accuse you of treason and try to have you executed if you tell their
dirty little secrets.

I don't think Bill Gates and John Tesh have a thing to worry about from
AP.  Janet Reno, on the other hand... :)

> One of the reasons that this country is so fucked up is that few pay
> attention to what their leaders actually do.  You tell them about laws
> that are already on the books and they don't believe you. They still buy
> into the myth that America is the "Freest Country in the World(tm)".

Well, as ts elliot once observed, what we need is a system so perfect that
it does not require that people be good.

Any government that requires me to pay attention to what it does, in order
to function efficiently, is a lost cause.  I mean, I don't have to pay
attention to Federal Express for it to perform well.  McDonalds manages to
make burgers without my participation.  I am not mailed a ballot to choose
the President of Domino's, and then told that everything is my fault if
the guy screws up, or that I have no right to criticize roaches in the
pizza if I didn't exercise my right to vote.

> And what about those people who have lots of money and little or no
> personal ethics?  Say that you have a company whos rival has a bunch of
> engineers that you want.  They won't work for you, so you have them done
> in.  (Or maybe the prosecutors in a big anti-trust trial.)

People can hire hit men to do such things now.  I don't see piles of dead
engineers all over silicon valley. 

There are only two classes of people the typical person would pay money to
see dead.  Relatives who piss them off, and government officials who have
dishonestly cost them everything they have, and are untouchable because
they are operating under color of authority.

People hire people to kill their shrewish wives, and to kill witnesses who
have put them in prison for 150 years by lying.

Disputes with employees, and displeasure over Windows needing frequent
rebooting, really don't rise to this level of visceral discontent.

> Just because you can do something, does not mean that you should.

Unlike episodes of "Columbo," very few murders that involve any careful
planning are ever solved, and then only if someone rats out the perp.

AP would permit vast numbers of strangers to financially support the
misfortune of a despised individual, just as small numbers of wealthy
non-strangers might decide to do now.

It is extremely unlikely it is going to change in the least the "who" or
"why" of contract killing.  I really don't think everyone is going to
start murdering their bosses, their landlords, or their local prosecutor.

Which is why the government's overreaction to Jim Bell's speculative
essay on ways of combatting tyranny is so telling. 

"If 

Re: Jim Bell arrested, documents online

[Me]

- Original Message -
From: "Duncan Frissell" <[EMAIL PROTECTED]>
> I hope James will argue that he was gathering addresses so
> that he could picket them (which is legal).

Hasn't Jim Bell, master chemist, keeper of paper notes, and self
appointed angel of death to LEOs ever heard of a contact poison?

He has fluka's top 100 in his garage, but can't find a bottle of
lithium salts.

The NSA should pray a soft sentence and underwrite his efforts as
positive PR.

Re: Jim Bell arrested, documents online

[Ken Brown]

Eric Cordian wrote:
> Alan Olsen wrote:

[...snip...]

> > He seemed to think that the only target of this would be the government.
> 
> I think this is a reasonable observation.  You really have to be acting
> under color of authority to strongly alienate enough people, who have so
> litle recourse against you, that millions will bet a buck on your
> continued good health in the hopes that an anonymous assassin will prove
> them wrong and collect the pot.

I'm not so sure about this. 

I've taken part in political demonstrations against private companies &
I've worked in offices that were picketed or invaded by demonstrators. 
I've also worked in a building whose windows were broken by a bomb in
the street. The bomb wasn't directed against us, but against another
business on the other side of the street - the Harrods department store.
On another occasion Harrods was bombed in protest against their selling
fur. Farms that breed animals for experiments have been attacked and
there have been attempts on the lives of the managers and owners of such
places. 

[...snip...]
 
 
> > I think that there are more people out there who would go after Bill
> > Gates or John Tesh than there would for various little known public
> > officials. (This could be a case where fame could have an even bigger
> > downside. About six feet down.)
> 
> Oh come now.  You have real recourse against Bill Gates and John Tesh
> short of killing them.  Bill Gates and John Tesh don't claim they have
> God's authority to kill you if you don't do what they say.  They don't
> order your house raided, and your children terrorized at gunpoint.  They
> don't force you to choose between going to prison or going to war.  They
> don't accuse you of treason and try to have you executed if you tell their
> dirty little secrets.

Gates & Tesh may not do that but there are companies that have done -
and more importantly there are people who think that companies do behave
like that even if they don't. Think of Shell in Nigeria. Or Harlan
County, Kentucky.

One of the things about AP is, if it works, millions of people with
untrue ideas can still get things done.

Anyway, the distinction between business and politics is less clear than
you make out - or seems less clear to many people in countries outside
America. In most places the government is in the pockets of the people
with the money - and in most places presidents and governors are quick
to join the ranks of the men with the money. Citizens of countries that
have experienced the rule of people like, say, Marcos, or Suharto, or
Kenyatta, aren't likely to believe that your American companies aren't
agents of the US government, and they aren't likely to believe that your
American politicians don't have interests in  the companies. What
happens if millions of people outside the US are pissed off (maybe for
no good reason) with the corporate leadership of Exxon or Coca-Cola or
Microsoft or MacDonalds? Maybe if only because they are pissed off with
the USA  and those companies stand for the USA in the minds of others (&
however wonderful your USA is someone, somewhere is going to be pissed
off with it). The only American politician millions of people have heard
of is the President (who is presumably reasonably well-defended).
Representatives of big companies make much more likely targets for
non-Americans.

Anyway, big companies make big targets for some kinds of
revolutionaries, as do big fortunes. Some of them like killing the rich.
This already happens. Not a lot, but it happens. AP might make it more
common.

Ken

Re: Jim Bell arrested, documents online

[Bill Stewart]

At 10:14 AM 11/24/00 -0800, Ray Dillinger wrote:
>
>
>On Fri, 24 Nov 2000, Tom Vogt wrote:
>
>
>>would most likely cast a couple new protection laws. say, make it
>>illegal to publish a politician's name. "our president has today..."
>
>
>Well, I guess that's *one* way to get political types to support 
>the right to anonymity...  

Nah - too hard to give them credit when they want it,
so they'd do pseudonyms.
"Big Brother announced today that..."


Thanks! 
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

Re: Jim Bell arrested, documents online

[petro]

>Oh come now.  You have real recourse against Bill Gates and John Tesh

Bill Gates is a questionable case, but there is no doubt that 
John Tesh should die.

>It is extremely unlikely it is going to change in the least the "who" or
>"why" of contract killing.  I really don't think everyone is going to
>start murdering their bosses, their landlords, or their local prosecutor.

Most people just aren't vicious enough to want to *really* 
kill someone.

Most.

Case in point:

There are some 80 million gun owners in this country. Some 
250+ million guns. Yesterday 79,999,900+ of those gun owners killed 
no one.

It really is only the mentally disturbed that kill for any 
reason other than self defense or other *huge* cause.

10 million dollars is, IMO a huge cause.
-- 
A quote from Petro's Archives:
**
"Despite almost every experience I've ever had with federal 
authority, I keep imagining its competence."
John Perry Barlow

Re: Jim Bell arrested, documents online

[Tom Vogt]

petro wrote:
> 
> >Oh come now.  You have real recourse against Bill Gates and John Tesh
> 
> Bill Gates is a questionable case, but there is no doubt that
> John Tesh should die.

if everyone who hates windos puts $10 in a box, you'd need quite a large
box. which makes one wonder why the guy is still alive. or why Linus is
still alive, given the fact that M$ could easily pay for the most
professional contract killers on the globe. I mean: all of them.




> It really is only the mentally disturbed that kill for any
> reason other than self defense or other *huge* cause.
> 
> 10 million dollars is, IMO a huge cause.

the only problem I have with this is that it tends to get the
figureheads killed. not the biggest assholes, but the somewhat-assholes
with a high publicity. instead of learning responsibility, government
would most likely cast a couple new protection laws. say, make it
illegal to publish a politician's name. "our president has today..."

Re: Jim Bell arrested, documents online

[Ray Dillinger]

On Fri, 24 Nov 2000, Tom Vogt wrote:


>would most likely cast a couple new protection laws. say, make it
>illegal to publish a politician's name. "our president has today..."


Well, I guess that's *one* way to get political types to support 
the right to anonymity...  

Bear

Re: Jim Bell arrested documents online

[Anonymous]

>Anyway, the distinction between business and politics is less clear than
>you make out - or seems less clear to many people in countries outside
>America. In most places the government is in the pockets of the people
>with the money - and in most places presidents and governors are quick

This is a part of official mythology that very few americans escape.

I also noticed seemingly intelligent people bending their brains
to explain how something that business does is less evil than the
same thing done by government.

Apparently because businesses do not use guns.

They are missing the fact that majority of people never encounter/use
guns in their life, and that the principal way of behavioural control
is propaganda/ideology. Most of the people in the industrial world are
directly and tightly controlled by corporations, not governments.

I have seen people that fear their bosses/corporate policies/landlords/
creditors more than they ever feared government - simply because they
never had to deal with government on adverse terms. Their lives are not
shaped by governments - business does that. That is the reality.

But corporations did a great job of propping up the government as the
target for frustration, and it shows. Long time ago I read a story about
the guy whose job was to be fired: a company would screw up something,
and the guy was hired, presented to be the company exec, and then
humiliated and fired in front of the customer. Sounds familiar ?

Re: Jim Bell arrested, documents online

[Ray Dillinger]

On Fri, 24 Nov 2000, Greg Newby wrote:

>
>Do people on this list really believe that the solution to 
>problems is to kill people?
>
>Or are we just getting sarcastic and frustrated?


There are certain problems that no other solution for has ever 
been found.  There has never been a human society that did not 
kill people.  Even countries that don't execute criminals still 
slaughter enemy soldiers and civilians when they go to war. 

You can regard killing, of certain types of people anyway, as a 
service industry.  Like all services, less of it is provided (and 
at a much higher cost) if there is a monopoly on it.  Since we 
tend to like a minimum of killing, but are willing to pay the 
high costs for the truly necessary amount of killing, humans 
have mostly seen fit to institute monopolies on killing, regulate 
them fairly tightly, and refer to them as governments. 

In a governed state, it is your civic duty to uphold the monopoly. 
You must refrain from doing the killing yourself unless the power 
to kill delegated to the government is redelegated to you by the 
government.  In an ungoverned state, it is your civic duty to stop 
psychopaths and sociopaths yourself, since you've no government to 
delegate that duty to in the first place.  And to do so, generally 
you must kill.

The "Needs Killing" verbiage you see here, I think, is mostly from 
people who, correctly or not, tend to think in terms either of there 
not being any governments, or in terms of the government being so 
ineffective that they are effectively in an ungoverned state.

Bear
  

Re: Jim Bell spotted in Bellevue, Washington

[Patrick Henry]

> A quick and ugly digital photo:
>
> http://www.mccullagh.org/image/950-8/jim-bell-dinner.html

It looks like he ate well in prison.

--PH
__
Get Your Free Email from http://www.hotml.com

ecash, cut & choose and private credentials (Re: Jim Bell)

[Adam Back]

[Hey Hal, what happened to your Chaum's ecash description?  Can't find
it to link to].

Anonymous wrote:
> Ray wrote:
> > Even if she provides enough 
> > tokens to completely populate the cut-and-choose protocol, 
> > those tokens still have to have splits of valid identification 
> > information for somebody in them - and giving them all to 
> > Bob so that Bob could complete the protocol with the bank - 
> > would imply that Bob is privy to that information.
> 
> There are far more efficient offline systems than cut and choose.
> You need to get past the A's and into the B's and C's in your
> protocol list.  Check more recent work from Brands and Chaum.

Here's a short description of Chaum's [2] ecash and credentials vs
Brands' [1] more general and flexibile private credentials and ecash.

So as both anonymous and Ray know cut and choose refers to the method
of encoding identity into coin.  The basic problem is that Chaum's
blind signature doesn't the signer see what he is signing.

So cut and choose is just the user encodes identity in a number of
candidate coins, and the bank chooses one at random and the user must
reveal the rest.  This allows tunable probability of cheating (not
encoding identity in the chosen coin).  This is done in such a way
that a coin showing protocol will reveal the identity if the coin is
spent twice (due to random values chosen by the merchant resulting in
two simultaneous equations with two unknowns -- one of them the
identity).

Cut and choose is computation and communication inefficient.

Brands' private credentials stuff uses a technique he calls secret key
certificates to allow the issuer and the user to both see the
attributes being signed.  The user ends up with a certificate on the
attributes and the ability to prove the validity of the certificate
during a certificate showing protocol.

The user can also choose to selectively disclose attributes during
disclosure, for example if there are two attributes he can reveal one
(the coin denomination) and not the other (his identity).

With Chaum's ecash you have to use the cut and choose protocol which
is inefficient, with Brands' protocol the user and the issuer engage
in a protocol with 3 moves (Discrete Log based variant) or 2 moves
(RSA based variant) which is both computation and communication
efficient.

With Chaum's ecash you have to encode the coin denomination by having
a separate public certification key for each denomination.  You don't
have to do this with Brands' private credentials, as you can put this
in an attribute.

Also the number of attributes is arbitrary, so if it makes sense to
have more attributes in the general private credential case, you can.

(For example sex, age, nationality, passport credential, etc. you can
reveal any combination you choose after certification.)

You can also show fairly arbitrary boolean expressions involving the
attributes and not reveal anything other than the truth of the
expression.  (Eg. Female US citizen over 60 or Male Canadian citizen
under 18, and not reveal sex, citizenship or age).

The certificates are linkable (ie the verifier or merchant can tell
that you are the same pseudonymous person who last showed the
certificate), because there is a public key chosen by the user and the
public key is revealed during the show protocol.

There is also a refresh protocol where the user can give a used
certificate and get a fresh certificate without having to show the
attribute vales of the certificate -- the certifier just knows he is
certifying the same as last time.  The refreshed cert would be
unlinkable at show time from the original cert.

For ecash purposes you can use private credentials to make both
offline and online cash.

So private credentials are nice and flexible for building generalised
private credentials, and also more flexible and so allow you to do
some things more efficiently, and do some things not directly possible
with Chaum's credentials.

Unfortunately both Brands' and Chaum's ecash and credential schemes
are patented.  David Wagner et al also had some ideas about an ecash
coin [3] composed roughly of a public key based MAC (ie the user can't
verify the validity of the coin directly -- only the bank can do
that), plus a zero-knowledge proof that the bank hasn't marked the
coin.  This may be unpatened in that it's not directly a certificate,
it's a MAC, plus a zero-knowledge proof so it seems like a fairly
different process.  I don't think you can do efficient offline ecash
with Wagner et al's mechanism -- I'd guess it's more comparable with
the functionality offered by Chaum's blind signature.

There is a high level white paper describing the applications of
Brands' private credentials and comparing to Chaum's credentials:

at the bottom Brands Private Credentials White Paper.

[1] http://www.zeroknowledge.com/media/default.asp

[2] Hal Finney used to have a description of Chaum's protocol on rain.org
but he's at www.finney.org/~hal/ now and I c

Re: ecash, cut & choose and private credentials (Re: Jim Bell)

[Ben Laurie]

Apologies for indirect routing :-)

> Date: Tue, 28 Nov 2000 22:41:07 -0500
> From: Adam Back <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
>
> Unfortunately both Brands' and Chaum's ecash and credential schemes
> are patented.  David Wagner et al also had some ideas about an ecash
> coin [3] composed roughly of a public key based MAC (ie the user can't
> verify the validity of the coin directly -- only the bank can do
> that), plus a zero-knowledge proof that the bank hasn't marked the
> coin.  This may be unpatened in that it's not directly a certificate,
> it's a MAC, plus a zero-knowledge proof so it seems like a fairly
> different process.  I don't think you can do efficient offline ecash
> with Wagner et al's mechanism -- I'd guess it's more comparable with
> the functionality offered by Chaum's blind signature.

I'm not sure what you think the requirements for "efficient offline
ecash" are, but I should note that the double-blinded version of lucre
doesn't require the ZKP, and there's also a non-interactive variant of
the ZKP for the single-blinded variant. They are both described in the
current version of the paper (at least, I'm sure the first as, and
somewhat sure the second is).

Cheers,

Ben.

> [3] Ben Laurie has a paper describing Wagner et al's MAC + ZKP ecash /
> credential protocol as theory2.pdf.
> 
> http://anoncvs.aldigital.co.uk/lucre/
> 
> Adam
> 
> Disclaimer: As always my comments are my own.
> 
> --- end forwarded text
> 
> --
> -
> R. A. Hettinga 
> The Internet Bearer Underwriting Corporation 
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Re: ecash, cut & choose and private credentials (Re: Jim Bell)

[Adam Back]

James wrote:
> Adam Back wrote:
>  > Hal says:
>  > >
>  > > http://www.finney.org/~hal/chcash1.html and
>  > > http://www.finney.org/~hal/chcash2.html
>  >
>  > Wow look at the dates on those files -- Oct 93, and we still no
>  > deployed ecash.  You'd think there would be a market there for porn
>  > sites alone with merchant repudiation rates, and lack of privacy in
>  > other payment systems.
> 
> The obvious starting market for good ecash is perverse 
> pornography.  Another good starting market is interactive sexual 
> performance over the internet.

Whatever the class of pornography it is that is popular on the
internet would indeed be a good starting market.  I'd consider this
class the "mainstream" pornography on the internet.  So I'm not sure
if you're referring to this or some more risky harder to find stuff
which people may arguably be willing to pay a higher premium for.  I'd
aim for the mainstream stuff due to volume.

> There have been many attempts at ecash, but I am not aware of any
> products involving useful, spendable, convenient, anonymous ecash
> targeted at that or similar markets.  The only really usable
> anonymous ecash was that of the Mark Twain bank, which crippled its
> cash to prevent it from being used by that market.

I presume the crippling you're talking about is the payee traceability
with collusion of payer and bank.

However I'm not sure I agree that the payee anonymity identification
feature killed it for this application.  For this particular
application there appear to be plenty of sites willing to serve the
content sans anonymity -- they're VISA, etc merchants no less.

I think the thing that killed MT / digicash for this application was
MT at the time was reported to be closing accounts related to
pornography -- they apparently didn't want the reputation for
providing payment mechanisms for the porn industry or something.

Plus of course:

- the need to download a client
- the small userbase making it an unattractive proposition for
  users
- the need to setup an account (in US funds) -- no accountless operation
- accounts were difficult to setup too
- the greedy fee structure
- differentiating between merchants and users

I'd have thought the thing to do was put an ecash client in Mozilla
and work on getting it into netscape.  Plus download plugins for
Internet Explorer.

So whoever develops enough clue, capability and interest in making
money to do this someday needs to think about making it work with
existing credit card sites.

Give back a one time credit card number for legacy sites which is
cryptographically unlinkable with the ecash spender.

In general try to make it interoperate with other payment systems.

Try to make it as painless and instant as possible to buy ecash.

All of this you'd think would be obvious.

Adam

Re: ecash, cut & choose and private credentials (Re: Jim Bell)

[James A. Donald]

 --
James A. Donald:
 > > There have been many attempts at ecash, but I am not aware of any
 > > products involving useful, spendable, convenient, anonymous ecash
 > > targeted at that or similar markets [immoral or illegal]. The
 > > only really usable anonymous ecash was that of the Mark Twain
 > > bank, which crippled its cash to prevent it from being used by
 > > that market.

At 01:14 AM 12/4/2000 -0500, Adam Back wrote:
 > I think the thing that killed MT / digicash for this application was
 > MT at the time was reported to be closing accounts related to
 > pornography -- they apparently didn't want the reputation for
 > providing payment mechanisms for the porn industry or something.

Payee traceability made it possible to close accounts related to 
pornography.   Ecash is not truly cash like if the issuer can prevent it 
from being used by tax evaders, child pornographers, money launderers and 
terrorists.

 > I'd have thought the thing to do was put an ecash client in Mozilla
 > and work on getting it into netscape.  Plus download plugins for
 > Internet Explorer.

Internet explorer already has the necessary hooks.  If we put the ecash 
wallet into an active X control then when the user navigates to a ecash 
page, the user will see the usual warning "Do you trust code signed by so 
and so".  If he clicks yes, the code will be downloaded to the client and 
installed behind the scenes, and he will never see that warning again, 
unless he encounters a page with an updated version of the ecash control.

 > So whoever develops enough clue, capability and interest in making
 > money to do this someday needs to think about making it work with
 > existing credit card sites.

The html code on the thumbnail page where one clicks on a porno link will 
need to be rewritten to support ecash.   If the porno page server is using 
IIS, the server will need an ISAPI extension to handle URL's containing 
ecash payments.   Apache has a similar extension mechanism, but I have 
never written an extension for an Apache server.

The page that has for-pay links does not need anything unusual about its 
server, or about the client's Internet explorer, but the server that serves 
links containing ecoins in their urls will need an extension, similar to 
extensions I have written before.

 > Try to make it as painless and instant as possible to buy ecash.

Unfortunately, if ecash is truly untraceable, you cannot give people their 
ecash until their payment clears, which means you cannot let them pay by 
credit card.  They would be able to pay by e-gold, Paypal, paper cheque or 
wire transfer.


 --digsig
  James A. Donald
  6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
  x0aQgxEwqS2LNXHW/WBr5lXjkd0JE6+AaYOr2dkP
  474TkCMxTMOHpLrXcZYopVPpq36AognlIJ/uEvK0D

Re: ecash, cut & choose and private credentials (Re: Jim Bell)

[James A. Donald]

 --
Adam Back wrote:
 > > > I think the thing that killed MT / digicash for this application
 > > > was MT at the time was reported to be closing accounts related
 > > > to pornography -- they apparently didn't want the reputation for
 > > > providing payment mechanisms for the porn industry or something.

James Donald replied:
 > > Payee traceability made it possible to close accounts related to
 > > pornography.   Ecash is not truly cash like if the issuer can
 > > prevent it from being used by tax evaders, child pornographers,
 > > money launderers and terrorists.

Anonymous wrote:
 > Payee traceability had nothing to do with it.  Every customer of
 > MTB, whether an end user or a merchant, had to fully identify
 > himself to the bank, including SSN and for merchants, type of
 > business, etc.  This is SOP for other payment systems like credit
 > cards.

Ecash is not supposed to be like credit cards.

Had the coins been cashlike, joe pornographer could have sold them under 
the table to the flying nun, who would then cash them in her very 
respectable account, and pay Joe pornographer under the table.

 > It was on this basis that MTB was able to screen their merchants. No
 > payee tracing was necessary.  A fully untraceable cash system would
 > have been equally amenable to merchant screening.  Any vendor has
 > the right to control whom it does business with, and MTB chose to
 > exercise its discretion in this way.

Payee traceability made it possible for the vendor to control who used his 
ecash.  With truly untraceable cash, the vendor can no more control who 
uses his coins than can an issuer of physical coins.

 --digsig
  James A. Donald
  6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
  1888xf3dGOa7E0/VKdf5i8BViiT/hrOp51IW5PzN
  4SxTFltcoKTQc4eFab8ZoF0byDe9qzXOqtQUqYWwc

Giving the Devil the Benefit of Law (was: RE: Jim Bell arrested documents online)

[Trei, Peter]

I really find AP depressing. I find the arguments that it would only
be used against 'those that needed killing' faulty, in that everyone
has a different list. There are a lot of folk who would put crypto
anarchists on their list (as well as, say, Major League Baseball
umpires :-).

"Law", and 'legal systems', when they operate correctly, do provide
a brake on unpredictable and arbitrary violence. There is no question
that they can be, and are, severely misused by the rich and powerful
to their own ends. But not all the time, and not in all cases. 

Reading this thread makes me remember on of my favorite dramatic
scenes:

>From "A Man for all Seasons" by Robert Bolt.

Sir Thomas More, a lawyer.
Alice: His wife.
Margaret: His daughter.
Roper: His son-in-law.

They are discussing a man whom they regard as suspicious:

Margaret: "Father, the man is bad."
More:  "There's no law against that."
Roper: "There is a law against it. God's law."
More: "Then God can arrest him."
Roper: "Sophistication upon sophistication!"
More: "No. Sheer simplicity. The law, Roper, the law. I know 
what's legal, but I don't always know what's right. And 
I'm sticking with what's legal.
Roper: "Then you set man's law against God's?"
More: "No. Far below. But let me draw your attention to a fact. 
I am not God. The currents and eddies of right and wrong, 
which you find such plain sailing, I can't navigate. I'm 
no voyager. But in the thickets of the law, there I am a
forester. I doubt if there's a man alive who could follow 
me there, thank God."
Alice: "While you talk, he is gone."
More: "And go he should, if he was the Devil himself, until he 
broke the law."
Roper: "So now you'd give the Devil the benefit of law!"
More: "Yes. What would you do? Cut a great road through the law 
to get to the Devil?"
Roper: "I'd cut down every law in England to do that!"
More: "Oh? And when the last law was down, and the Devil turned 
round on you -- where would you hide, Roper, the laws all 
being flat. This country's planted thick with laws from 
coast to coast -- man's laws, not God's -- and if you cut 
them down -- and you're just the man to do it -- do you 
really think you could stand upright in the winds that 
would blow then? Yes, I'd give the Devil benefit of the 
law, for my own safety's sake."

---

There are too many Ropers on this list.

Peter