[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [circle] p2p auctions

From: Paul Campbell
Subject: Re: [circle] p2p auctions
Date: Mon, 26 Apr 2004 14:29:43 -0700
User-agent: Mutt/1.5.6i

On Mon, Apr 26, 2004 at 10:54:43AM +0200, thomasV wrote:
> address@hidden wrote:
> One issue is that buyers typically buy only
> one or two items from a given seller, while
> each buyer interacts with lots of different sellers.
> So the question is, where do we store the
> feedback comments concerning one seller,
> given that this feedback comes from many
> different buyers?
> - we cannot store these comments on the
> seller's client because we cannot trust him.

Not necessarily true. If you make the comment immutable such that the
seller can neither alter the comments nor delete them (without deleting
all comments, which quickly erodes reputation, until the seller has no
reputation at all), it doesn't matter if the seller stores them or not.

One-way accumulators solve the "do not delete" issue (you can tell right
away if comments are missing). Alterations are stopped by having the buyer
sign them with a public key. Then only the public keys have to be maintained
in the cache, assuming that the size of public key storage is much smaller
than comment storage.

> - it would make sense to store them on the
> buyers clients, but that is complicated, because:
> 1. it creates some traffic.
> 2. it assumes that the clients are online and
> publish their comments at the time you want
> to read them. this is unlikely...
> - maybe a solution would be to publish these
> comments in the cache of circle, so that they
> remain available after the person who wrote
> them goes offline. But even in that case, it
> remains easy to write fake comments...
> in ebay, fake comments are much less of a problem,
> because in order to write yourself a fake comment
> you need to create an identity, perform a transaction,
> and pay the ebay fee for that transaction.
> therefore comments have a cost.
> so, maybe we need a central authority that does this job...

Not really. The problem is positively identifying an individual. You can do
this actually fairly easily and automatically, and the idea of a web of trust
is exactly how to do it. The trust links all have to point to public keys,
which are stored on the circle cache. Then you can positively identify when
a user actually published something if it is marked with a cryptographic

Any user with basically no trust links and no other activity is blatantly
a fake. It is still possible that someone could start out by creating numerous
aliases, and send various minor transactions between those same aliases, and
then eventually lead them up to building a web of trust that has no outside
branches (making the fake identity(s) look very good), and then repeatedly
screw numerous people before being caught. But this exact same behavior
actually happens now on eBay so it would be no better.

Crypto-signatures are actually quite easy. First, hash a document. Then
"decrypt" the hash with your private key. The resulting almost meaningless
string of bits is the signature. Then any user that has access to a user's
public key can verify that the user signed it by attempting to "encrypt" the 
signature. It should return the same hash as the document.

Circle already has public keys so it's a simple matter to go to the next step
of creating signatures.

Also, there are a variety of other specialized signature schemes. For instance,
you can have various versions of proxies. So you can for instance have someone
else sign for you. Where this is useful is if someone in circle offers an
escrow service similar to PayPal (which used to be a seperate entity before
eBay bought them), then the seller or buyer can release rights to the escrow
service to send a "I have the money" or "I have the goods" message to the
appropriate buyer/seller with the appropriate key (which prevents the escrow
service from faking anything).

So basically, it should be possible with the web of trust idea to look at not
only the sellers but the buyers (and the commentary on both) with a graphical
"web of trust" view that you can visualize. Depending on how it is done, it
should be possible to visually tell how trustworthy a buyer/seller is. And
to demand an escrow (PayPal example) if necessary (either to verify that the
goods exist, or that the payment exists).

reply via email to

[Prev in Thread] Current Thread [Next in Thread]