From: eric@remailer.net (Eric Hughes)
Date: Thu, 15 Dec 94 13:37:12 PST
To: www-buyinfo@allegra.att.com
Subject: Re: properties of FV
In-Reply-To: <giw_XSP0Eyt5RL_b0K@nsb.fv.com>
Message-ID: <199412152234.OAA07282@largo.remailer.net>
MIME-Version: 1.0
Content-Type: text/plain


[re: making a receivables system for small value]

   Assuming that thing that you're "cobbling together" is based on a
   reasonably robust database engine, it should scale a long, long way. 

It's not the technology but the number of different kinds of
exceptions to track that cause it not to scale.  You don't need to
solve those problems right away, though.

   > Partial security is better than no security.

   That's a *very* interesting statement.  I'm not at all sure what it
   means, so I'm not sure if I believe it or not.  Sometimes partial
   security is worse than no security because it gives people a false
   *sense* of security.  

It's like this.  If there are two ways to break into my house, bashing
in the front door and climbing through second story windows, it's
better to have a strong front door and no bars on the upper windows
than to have no strength in the front door and still no bars.

Regardless of the security, users need to understand what it gives
them.  This is orthogonal to the choice of security, as well as to the
persistence of thick-headedness in society.


   > In particular, if a digital signature does not, by agreement, carry an
   > implied warrantee of identity, then there's no problem at all.  

I sense that I this wording was less than fully explanatory.

What this means using FV as an example, say, is that FV will not claim
that a signed message actually originated from someone.  A signature
would be _advisory only_, and carry no legal weight as a signature or
a proof of identity.  You can still require signatures, because this
does improve security.

Suppose that a customer disavows a signed transaction, saying "Someone
must have hacked my account".  What you could _not_ do in this example
is then to claim that "Well, it must be your account; it has your
signature on it", because _by agreement_ the customer is not making
any implicit claims about who actually holds the private key.  In
fact, the disclaimer of a warrantee of identity makes _explicit_
the fact that the private key is not relied upon to be held secretly.

This is partial security.  It is not all that can be accomplished with
crypto; it is only a part.  The partial security, however, still has
value.

   > Use
   > the crypto entirely for transit security.  If someone hacks your
   > machine and grabs your passphrase and forges a transaction, at least
   > the intruder has to grab your passphrase.

   This is exactly the way we would expect to use crypto layered on top of
   First Virtual's protocols, if and when such cryptographic protocols are
   deployed widely enough to have penetrated af meaningful portion of our
   market.

"If and When" is Yes and Today.  Anybody who can autosign their
outgoing mail can participate in this kind of transaction already.
Assuming the above agreement is made with respect to private keys,
there is _no_ risk to the customer about loss of secret keys, and no
greater risk to the merchant than what currently obtains.

The dreams of utopia in cryptography are beginning to hold back
deployment as much as architectural problems.

Eric