From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 49d33d4166f5d4d5b1d8e03c88526a373282b606f923de09fde8e725025443b1
Message ID: <199408252046.NAA11580@jobe.shell.portal.com>
Reply To: <9408251759.AA23689@ua.MIT.EDU>
UTC Datetime: 1994-08-25 20:47:10 UTC
Raw Date: Thu, 25 Aug 94 13:47:10 PDT
From: Hal <hfinney@shell.portal.com>
Date: Thu, 25 Aug 94 13:47:10 PDT
To: cypherpunks@toad.com
Subject: Re: Is pay-per authentication possible absent trust?
In-Reply-To: <9408251759.AA23689@ua.MIT.EDU>
Message-ID: <199408252046.NAA11580@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain
Jason W Solinsky <solman@MIT.EDU> writes, quoting me:
>> One thing I don't follow here is under what circumstances a "challenge"
>> will occur. Presumably Microsquish will not blindly accept all of
>> Ingve's assurances since they are backed only by promises. Can
>> Microsquish force Ingve to go to his clients and make them produce
>> certificates? Who pays for that? Maybe if you factor in that cost it
>> won't look so bad for Charles.
>First, just let me note that there are a thousand ways to structure it.
>In my example, Microsquish gets to hold a challenge whenever they want
>to. If everybody is being honest Microsquish will lose eight nano-slinkys
>each time they challenge so they won't do it frequently. If everybody
>is not being honest, Microsquish will collect substantial damages.
One thing I'd add is that Charles still makes money whenever there is a
challenge. If there were no challenges then there would be nothing to
keep people honest. So it's not a matter of eliminating pay per use of
certifications, it's just a matter of the frequency with which they are
used vs other kinds.
Also, as the challenges become less frequent, Charles can actually raise
his rates and still let everyone else make money. He can even charge
more than the 10 that Micro is paying for challenges, which he could
probably not have done in the non-probabilistic (pre-Ingve) system. It
sounds like Micro is paying the challenge fees (in at least one version)
and if the penalties against cheaters are great enough it won't challenge
very frequently, in which case a larger fee by Charles can be absorbed.
>Lets just say that Charles isn't geting as much as he would like. Pay per
>use is good for the consumer... note the resentment that high software
>prices have created. Although everybody wins by adopting a system that
>better approximates reality, ala superdistribution (but we are dealing with
>authentication here, not information and after thinking about it alot I have
>decided that authentication is NOT necessarily a form of information in that
>you can easily demonstrate to somebody that you have been authenticated
>without giving them the ability to prove it to somebody else [again lets not
>get into a terminology debate, my point is that the intangible asset here
>has a different set of properties from the kind we usually deal with in
>information economy scenarios]), the consumer with his smaller buying power
>wins the most.
Another approach, BTW, is the "undeniable" signature, which allows an
authorization which can only be checked with the cooperation of the
issuer. (One of the ones Chaum came up with was described in a posting I
made last weekend.) But again, the same "problem" arises where people
could check only a fraction of signatures with voluntary penalty clauses.
There is also the reseller who checks a signature interactively, paying
Charles' fee, then sells his own certifications that you have a valid
Charles certification, only these are use-many. The thing is, the amount
of information being provided in a certification like this is so small
(in effect, one bit) that the "information copying" problem hits pretty
hard! If you can't stop people from copying a 1 MB game you're going to
have a tough time keeping that single bit corralled.
>Now that I think about it, its possible that I'm in error approaching this
>problem from a cryptographic standpoint. Maybe the correct course of action
>is to establish a cybergovernment which prohibits "Ingve the insurance
>salesman" attacks and then set up the fine structure such that the
>conspirators will have an enormous incentive to turn each other in.
These tend to be non-local solutions, with a lot of overhead and extra
mechanisms. Maybe you can make it work with your "government" but I'm
afraid you may come to lean on it as the solution to all of your
problems. Why bother with cryptography for anything; just have a
"government" where everybody has posted a ruinous bond which they forfeit
if they break a "law", then legislate communications privacy, non-
duplication of electronic cash, bit commitments, etc., with heavy
incentives for people to report cheaters?
>BTW, perhaps there is an easier solution: only permit Cherles's
>certifications to exist in an environment that he controls. Smart
>cards and remote computers can easily do this, although remote
>computers are undesirable due to their communications overhead.
Again, though, people could just swear they've seen a Charles certificate
and these witnesses will undercut Charles.
As I said, I think there will still be a place for per-use
certifications, but the market will decide how much they are used vs
other kinds. I don't think you should worry so much about trying to fine
tune the system so this one technology wins. There are a lot of
possibilities that people may come up with.
Hal
Return to August 1994
Return to “Jason W Solinsky <solman@MIT.EDU>”