Bitcoin Forum

I have posted a complete first-draft of how I would implement buyer-seller escrow if I had to do it right now in Armory.

https://gist.github.com/2305966

Luckily, I'm not doing it right now, and I think this could use some improvement & optimization.   I'll leave the bulk of the content on the gist page, but I have copied the "Things to ponder further..." section below:

• Someone had brought up the possibility that only the "loser" of the arbitration should pay, and the "winner" would get their risk deposit back. I'm not entirely sure I agree with this...
• If we can't use SIGHASH_ANYONECANPAY, then one party would have to supply the other party with an appropriate sized set of inputs and a change address, so that the other party can construct the entire transaction before signing. It may require an extra half-step, but also may not be too bad if this step is executed by software, anyway -- it's already producing a PubKeyB to send to Alice... it might as well also figure out an appropriate set of inputs and change address and forward that on. On the other hand, if the tx never executes, Bob just revealed some of his funds to Alice.
• Second-half tx fee could be included on the original amount: commit 28.01 BTC to the 2-of-3 to make sure you don't need extra inputs later just to pay it.
• Client software could integrate third-party services -- so the retrieval and verification steps for third-party, Charles, could be done in the software for you. This may be especially important, because if you do a lot of purchasing online, you may need to advance-register with the third party so that they know who to contact during arbitration...
  Message signing may become important here, especially for third-parties...
• In direct response to Gavin suggesting that "risk deposits" are awkward and confusing: I don't see a way without it. If Bob doesn't have a risk deposit, he has no incentive to complete the transaction after he receives the merchandise (besides being a good person). If Alice isn't required to put in a risk deposit -- she could have Bob create the 2-of-3 transaction (or 2-of-2!) with her address, and then she backs out and leaves the money stranded. Then Bob will have to pay Charles to help unlock the money. Or if it's a 2-of-2 -- it's just locked forever.
• This process is complicated, but half of it is under the hood. A lot of it can be automated with a "simple" set of options and a well-thought-out interface.
• I think the number one priority to optimize is simplicity/usability at the UI.  I don't mind complicating stuff under the hood a bit to make it easier on the user.  But I do require a solution that would work without relying on third-party services being available (I think the solution should work for 2-of-2 tx, as well, and let users eat the risk of small tx getting locked).

I prefer punish only the "loser"

Question: What about add an option to let users choose if only the "loser" is punished with the third party service fee or the two parts (seller and buyer)

Whatever overhead fees are incurred are on the buyer, who is asking for the service. I don't think it's possible to do escrow without a third party, at least not one which would be acceptable to both involved parties. The best you could do would be to store the deposited money to a "virtual address" on the blockchain so that your third party can't just steal the money (unless he's already in collaboration with the seller).

On the other hand, for a proxy-seller like bitmit it might make more sense to escrow the money to a proxy account so that the proxy service can collect their fees as well as guarantee their own buyers against seller abuse. Escrow can't work without at least one trusted third party anyway, which is why amazon is so successful, since customers know they can get their money back most of the time even with an unrated seller.

It's not so clear cut who pays for overhead fees.  If you consider credit cards, it's always been the seller.  If it's PayPal transfers, again it's the seller.  Why not here, too?

In the case of Bitcoin, the network can be the third party.  That's what the 2-of-2 version is:  both parties agree on the terms (that only further agreement from both parties will be accepted) and the network holds it until they're ready for disbursement.  Of course, even with good intentions, the death of one party or HDD failure could lead to un-recoverable funds -- which is why I wouldn't recommend it for any substantial value.  But if you're purchasing something for under $100, I think it's acceptable (and third-parties may not want to deal with small tx, anyway).

I highly recommend third-parties, but I think it should be possible not to use them.  And people who use silk-road would probably agree with me (though I am making no formal endorsement of silk road or drugs in general:  just an example of where executing transactions between untrusted parties may be desirable without a third party).

Plus, the benefit of using 2-of-3 is that there's a lower threshold of trust needed for the third-party -- there is no risk that they take the bitcoins and run.  They'd have to collude with the one of the parties to do that.  All that matters is that they are impartial to the two parties involved.

Gavin proposal has something like:  if Alice is lazy for 30 days, it's the same of ok/agree

Etotheipi: what about your proposal?

The problem is, I don't think Gavin's proposal works.  His proposal relies on transaction replacement, which is not enabled on the network, and he admitted that he made an erroneous assumption about the way locked transactions work.   Specifically, Alice can get Bob to put the 20 BTC into one of these transactions, and then Alice just disappears without doing anything -- then after 30 days she gets the money.  Gavin had assumed that Bob can replace the transaction, but I don't think it's feasible (at least not without setting up an explicit agreement with a miner, which is way beyond usable in this case).  EDIT: and even then, I think the locked tx technically goes into the blockchain, so it couldn't be pre-spent even with a miner's help -- it would be final.

However, if an alternative can be made to work with existing, enabled features of the network, I'm open to it.

The seller, who passes those fees onto the consumer either by higher S&H or by higher prices overall.


I don't see how that solves anything. If Alice wants to buy something from Bob for 10BTC, and Alice doesn't trust Bob to deliver and Bob doesn't trust Alice to pay, how does "the network" decide if Bob has delivered or not to know whether to sent the money to Alice or Bob? If Alice is "lazy", then Bob might have to wait until the contract n-locktime expires to get his money, which might be a long time. Worst case if the tx can't be finished without both parties signing it, then if Alice is lazy Bob might never get his money, and if Bob is crooked then Alice can't get her money back.


If you've figured out some magical way to do escrow without a trusted third party to settle disputes, I'd love to hear it, but it seems technically impossible to me. As I mentioned the best you're likely to do is to lock the money up on the blockchain so your third party doesn't need to be trusted to hold it, just to release it to the deserving party. That's really not much better than what's possible now, although it might streamline things a bit.

You're missing the point.  People buy stuff all the time, from other people they don't trust over the internet.  But for many transactions, they do it anyway, and just hope they don't get screwed.  This system makes it an order-of-magnitude safer to conduct these transactions.  No one gets any money (or gets their risk deposits back) until both parties agree.  Both parties have an incentive to complete the transaction smoothly and without issue.  It means that the seller can't send some super-shitty/incomplete product to the buyer knowing that he's already got the buyer's money.  The buyer doesn't have to send money to some random person on the internet hoping that he's going to ship some potentially-imaginary product.



You've missed a critical distinction here:  there's a difference between "escrow" and "third-party arbitration."  The escrow simply means that the money is held by a third-party that has no partiality towards either of the first two parties, and that there is an explicit agreement about the conditions under which the money will be released.  "Arbitration" means that the third party gets involved to solve a dispute, which may involve contacting both parties, and sorting out semi-truths to find out who the money should go to.  Typically, third-parties serve both roles.

In this case, the bitcoin network can be that third party escrow -- it is holding onto money for the two parties, and has instructions to release it only when there is a distribution agreement (spend tx) that is signed by both parties.  You're right, the network can't arbitrate it: but it can be trusted to be impartial and not steal the escrow fund.

In many cases, especially early in the multi-sig world, there may not be good third-party services that both parties agree on.  In that case, I'd prefer to use the network for escrow alone, than trust that some third-party the seller is recommending is truly impartial (super-common escrow fraud (https://www.escrow.com/support/faq/index.asp?sid=27&qid=136)).  

As I said before:
(1) I only recommened this for small transactions, in which case the third-party arbitration may be more expensive than the transaction itself.  In lots of standard transactions, it doesn't even make sense to have a third-party, does that mean that we shouldn't bother at all?
(2) When neither party gets the money, they will (usually) find a way to agreeably resolve their own dispute so that the money does get unlocked.

ACK: I was responding to a message from teste... but those disappeared...  here was my response to his now-missing message

You guys are missing the point of 2-of-3 transactions, which was the whole point of P2SH/BIP16:  there are X coins held up in a 2-of-3 transaction.  It means that in order for those coins to be used as input for a new transaction, that transaction must have the signatures of 2 of the 3 parties.  Any party can propose how to distribute the funds however the heck they want, but they can't make it happen unless they get one other party to sign it.  

Let me say that in another way:  No one party has any control over the money whatsoever.  

-- The third-party can't "run with the money," because it would require transferring 100% of that 2-of-3 output to their own address, and neither Alice nor Bob would ever sign that transaction.  
-- Alice could decide he deserves a refund, but he can't execute it without getting Bob's signature (when he agrees that there was a problem with the shipment and he needs to be refunded), or getting the third-party signature (after it arbitrates and decides that Alice deserves a refund).  
-- Alice and Bob are both understanding people and recognize they both f***ed up and they should split the money:  that works too!  They create a tx spending 28 BTC, and sending 14 BTC to each of them (and the third party wasn't even necessary).

In all cases: the Bitcoin network is acting as an escrow service -- and it's conditions are release are: "Wait for further instructions that are agreed upon by any two of these three people."  

BTW: I'm not proposing that this is the only way to escrow in the BTC network.  I would like to see some kind of time-locked tx that prevents laziness, and doesn't give one party too much power.  But I don't know how it can be done when tx-replacement isn't enabled on the network.

I think it is really important that the bitcoins involved in failed escrows not be destroyed, but EVENTUALLY make their way back into the economy.

So I'd really like to see network and client support for having both people pre-sign and hold on to a transaction with a far-in-the-future lockTime (maybe as a fee-only transaction).

Hi etothepi,

Thanks for the post, it's very clear to me now. I deleted my post because was not sane.

My fear with both buyer and seller pay charge fee is that this could estimulate a market where bad people linked in any way with
 malicious third party services could realize escrows with the only purpose to generate a dispute and profit with it.

Third party service:
 1- Decide in correct way who win. (So will have good reputation).
2- Refund the bad person.
3- Profit from the good person

Gavin, I totally agree with you if it were possible.  But so far I'm not seeing how.  The locktime/replacement stuff is promising, but it doesn't answer the question of how to deal with it now.  It would probably be a long time before we could test it enough and roll it out.  Which is why I don't feel bad that I don't understand it too well... I have time.

As far as I can tell, even locked transactions are final, it's just that the outputs can't be spent until the lock time.  This means that once any such transaction hits the network, one party will get the money in the future if they just disappear and do nothing else.  And because it's final and in the blockchain, there's nothing else you can do to divert it. Obviously, we want to avoid that situation.  But I'm not seeing many other ways with the tools we have (besides keeping third-parties in the loop)

Just an update:  I talked with Gavin yesterday and we determined the extent to which transactions are "replaceable", which is more than I expected.

There are two locktime/replacement features of a transaction that would be used if full-replacement was available:  tx-locktime and per-txin-sequence number.  While replacement is technically "disabled", there is some logic in there that still triggers if you have non-zero locktime, and non-maxxed-out sequence.  See the bytemap (https://bitcointalk.org/index.php?topic=29416.0) for where locktime and sequence numbers occur in a tx.

The final conclusion was this:  If you create a transaction with a locktime in the future and with a non-maxxed sequence number, that tx will not be allowed in the blockchain.  It will be allowed into the blockchain after the locktime though (if seq is maxxed out, it will pass IsFinal() and be included in the blockchain immediately, though you can't spend the outputs yet).

However, even without it being in the blockchain, it will propagate and stay in nodes' memory pools.  This means that even though the tx is not in the blockchain, if it is broadcast, nodes will hold onto it and reject conflicting tx.   Therefore: locked-tx replacement is possible, exactly once, if you contact a miner and have them delete the locked tx from their memory pool and then include a new [conflicting] tx in their next block.   

However, I'm not entirely convinced that this is "usable".  In most of the scenarios where I can see this being used, there's too much reliance on being able to contact a miner to replace a tx.  And I wonder if miners should [ethically] be agreeing to just replace arbitary tx for users on a whim. I'm sure there's some deceptive practices Bad People will find.

Gavin, where is your original proposal on multi-sig/escrow?  I want to look at it again now that I understand what's actually possible.

https://gist.github.com/830ca16758fb9ad496d7   : I created it as a 'private' gist because it is only half-baked.

RE: lockTime and the memory pool:

Note:  I'm using an "Alice pays Bob" scenario as described in the above gist:

If neither party is cheating, then the pre-signed DISPUTE  should NOT get broadcast until there really is a dispute. Instead, Alice and Bob's clients hold on to it.

So it is not in any miner's memory pools, and if there is no dispute nobody besides the two people involved in the transaction ever know about it.

Of course we have to assume that people WILL try to cheat, so the question becomes: what if Alice or Bob broadcasts DISPUTE prematurely?  Would anything bad happen?

I believe the answer is no, assuming Bob waits for transactions to be confirmed.  If DISPUTE is in "everybody's" memory pool, then any other transaction involving the escrowed funds will just be ignored. Even if Bob's client didn't see the DISPUTE broadcast (maybe he was offline) but later saw the SUCCESS transaction broadcast from Alice, SUCCESS would never be confirmed.

On the other hand, if not "everybody" has the DISPUTE transaction in their memory pool and Alice broadcasts SUCCESS, then it will likely be picked up by a miner and confirmed.  Once it is in a block, the conflicting DISPUTE transaction gets dropped from everybody's memory pool as a failed double-spend.  Given the churn in the nodes connected to the network, I expect this would actually be the most common case.

If Bob's client does see DISPUTE broadcast, it should probably let Bob know that Alice is unhappy and has disputed the transaction.

DISPUTE (which will be given a non-final sequence number) cannot get into a block until after lockTime.

---

All of the above is based on my best understanding of how the Satoshi code works right now; prototyping and experimenting on the testnet would be a good next step to make sure it actually behaves the way I think.

I have a idea of how arbiritation can be done: With secure votes.
I have put a idea of a forum, but it didnt got any replies. Instead of writing the text again, Ill post a link to the thread:
https://bitcointalk.org/index.php?topic=4856.0

Basically, all opted-in members in the bitcoin network votes on how the transaction should end up, and all members are rewarded for voting correctly which means theres incentive for really verifying the details of the transaction and make sure arbitirating are done correctly.

Gavin,

I have nothing new to add except that I switched Alice and Bob on the gist I posted.  So now it should be consistent with your gist.  I'll continue pondering the replacement idea... I think it's acceptable, but we also need some way for a user to be able to submit a replacement tx without hiring a geek to help.  Getting help could cost more than the tx itself, and then Bob would just broadcast the LAZY_ALICE tx right away and get the money after 30 days knowing it's not worth it for Alice to try to figure it out.

Even if it's just another service that can be directly integrated or linked into the UI so the user has something to click to explore that option.  Presumably some big miners could setup some kind of service for this purpose, but I hate bringing even more third-parties into the equation. 

Plus, I'm not 100% fond of the idea that miners should be easily bribed to replace their memory-pool tx with different ones...


Sebastian,

I don't totally understand your proposal, but I don't see how or why the Bitcoin network, 99.9% of whom have nothing to do with this private transaction, should have any say in this.  I  *don't want* the network getting involved in my private affairs.

If you read the thread, you will find that "secure transactions" are entirely optional, you can in other words select if you want to send a "normal" transaction or if you want to send a "secure transaction".
Because disputes of secure transactions disturb the network very much (by nagging all users that have selected to partipicate in voting with a popup or a message or what your client do), they will be very expensive, with a tx fee of 10BTC or something like that.

Basically, you send a transaction, AND in this transaction a message is written:
Examples:
" Nokia 3310 + shipping to blabla blablasson North Street 10A XXXX XX New York "
" 50$ on paypal acct blabla-paypal@hotmail.com "
" Custom homepage project with a green template, upload to FTP on www.yourhomepage.com "

Then, the receiver needs to approve the secure transaction (or he can refund it), with a response:
" Here is your 3310 on way: http://www.large-freight-company.com/tracking.php?track=US395359235628974 "
" Here is your paypal money. Did a print screen: http://www.image-host.com/paypal_print_screen.jpg "
" Here is your custom home page: http://www.yourhomepage.com "

THEN the sender of money now either approves transaction OR he "dispute" the transaction

If the sender now dispute the transaction, ONLY those that have selected in their bitcoin client to partipicate in arbitirating of disputed secure transaction, will get a popup in the bitcoin client:

https://i.imgur.com/FFot2.jpg

You can then look at the evidence the receiver posted - in this case a screenshot of a sent paypal transaction, and then select to:
Defer the vote - which means you will not partipicate in this particular vote and not send out any votes.
Vote in favor to the sender - Your bitcoin client will compute "sender" vote and send out with PoW.
Vote in favor to the receiver - Your bitcoin client will compute "receiver" votes and send out with PoW.

And the outcome of the majority (where more CPU power = more votes) will decide which adress the money will go into.

Hi sebastian,

Incredible I had this same idea, but I think the the way to decide where the bitcoins go should be something like:

1- People will have an option to select in their bitcoin client to partipicate in arbitirating of disputed secure transaction
2- Bitcoin client will choose in randomly order 11 ONLINE clients that market to participate in arbitirating...
3-  6 or + votes decide if bitcoins go to alice or bob.
4- The 5 ones that voted against will pay a fee.
5- The 6 majoritarians will receive the bitcoins of risk deposit mentioned on etotheipi idea.

Make sense?

I'm sorry guys:  it is not acceptable to have to share my personal information and transaction details with the entire Bitcoin network, or any subset thereof, just to have my transactions arbitrated.  If I'm going to pay anyway, I expect a privacy agreement and someone who will exercise due diligence in arbitration -- which may involve contacting both parties and collecting documentation.  I just don't think a random-user voting scheme is part of this solution.

There may be a place for it, but it's not a general solution to the problem we face here.  

Well, if DISPUTE is a fee-only transaction then miners have a VERY strong incentive to drop LAZY_ALICE and mine DISPUTE instead. I don't think we'd have trouble asking miners to support a code change that is something like:


etotheipi, I've been thinking about your comment "I don't like the asymmetry" ...
LAZY_ALICE and DISPUTE are, I think, symmetric-- Alice holds DISPUTE in case Bob doesn't hold up his end of the bargain, Bob holds LAZY_ALICE in case she doesn't.  I proposed that DISPUTE have an earlier lockTime than LAZY_ALICE, but maybe that's not necessary.

If Alice really doesn't trust Bob, then I think the whole scheme also works if Bob puts a "good faith security deposit" of bitcoins into the mix.

---

The complexity of all this (5 possible transactions, different states the escrow can be in, initial communication to initiate the escrow) makes me nervous. Even just figuring out how Alice and Bob's clients talk to each to setup the escrow isn't obvious.

I'm less concerned about miners not agreeing to it, than the complexity of making sure the arbitrary user has access to a miner that will do it for them.  Maybe it could just be a rule that most miners will adopt, but something doesn't sit right with me about most miners accepting conflicting zero-conf tx just by including a bigger fee.  Maybe zero-conf tx have very little value right now, but they'll have even less once anyone can start canceling their outgoing [zero-conf] tx on a whim...



The asymmetry is that Alice is the only one with anything at risk.  Maybe Bob is just bored and wants to laugh about people losing money, so he starts advertising stuff he doesn't actually have.  When the person commits money, he delays a bit, then broadcasts LAZY_ALICE.  Worst case (for Bob), he doesn't get anything and gets his laugh.  Best-case, Alice can't figure out how to DISPUTE, and Bob actually gets some money!  Sweet game! 

I mean, people could do this now, though it would catch up to them eventually.  With Bitcoin, it's a lot easier to hide your identity, so there's almost no risk for Bob to do this. 

And so I'm coming around to your point about complexity and awkwardness of something like a Bob-deposit.  I agree, the further we deviate from what people are already used to, the stranger and more-confusing it will be.  At the very least, if we were to do something like risk-deposits, bitcoin.org could have an education section so users have some trusted place to go when they say "wait? I have to put in money as the seller?  sounds like a scam!"



Yeah... I don't think anything is going to be easy about it, besides minimize the number of exchanges between parties.  Right now, I want to get anything that works, and let the knowledgeable users get their hands on it, play with it, break it, and figure out how it can be improved.   As you said, it'll be easier to know what people like when we see if they use it.

Alice and Bob sign a contract, Bob is to ship good X, Alice is to provide money. Bob holds 'Lazy_Alice', and Alice holds 'Dispute'. Bob ships the item and forwards the tracking number to Alice. Alice uses 'Dispute' to get most of her money back. What does Bob do?

I think you're wrong about Alice being the one taking all the risk. The symmetry lies in the fact that neither party is really getting any lower risk by such a deal, unless there's an asymmetry between 'Dispute' and 'Lazy_Alice' which would dump all the risk on one party or the other.

Trying to manage dispute resolution between two mutually untrusting parties without a third party is impossible. In the 2-of-3 case, as long as Alice and Bob are really both honest, they can sign for each other and finish the transaction. In the case that either Alice or Bob are dishonest, they cannot agree without arbitration (the money ends up in limbo). Given that the contract is only used where at least one party assumes the other may be dishonest, a 2-of-3 is absolutely required to resolve things if that does turn out to be the case.

That's why Gavin suggests that DISPUTE is actually a send-100%-to-tx-fee.  Then no one gets the money, but it does get recycled.   And that's why I recommended deposits, so that both parties have a mutual incentive not to do shady stuff.  If it costs them money to be a dick, there will be a lot less dickery.


The part that you're missing is that the Bitcoin network is offering a dramatic improvement over something that happens all the time -- people trust completely random strangers over the internet, endlessly.   And for those people, one party has to assume all the risk: Alice sends money first, or Bob sends merchandise first.  

But now the Bitcoin network can act as very dumb-but-strict escrow and split some of the risk between the two parties that choose to trust each other anyway.  Perhaps because they wish to preserve their own privacy, or simply don't feel like registering with a third-party.   I agree that for "full 100% guarantee" you need a third-party. But that doesn't mean that there is 0% value in using the scripting capabilities of the network to improve the non-third-party case.

---

Gavin,

I still think a risk deposit is necessary here.  Even if DISPUTE goes to the miners, Alice may just be bitter that her new merchandise is crappy quality and issue DISPUTE to spite Bob.  She doesn't get any money back either way, so what does it matter to her whether Bob gets it or the miners get it?

By the way, another problem with it:  if Alice has a lot of mining power, it's very +EV for her to pull the DISPUTE trigger, since she's would get something back instead of nothing.

I see, so it's like a mutually-assured-destruction. If Bob's deposit is 100% of Alice's payment, that could work.


Usually with the backstop of bank chargebacks or some company such as ebay or amazon resolving disputes. Also, seller ratings? Even if it's anonymous, you can usually still know something which will indicate whether the seller is honest or not, or else decide whether a purchase is too much money to chance or not, or what your chances are getting a chargeback via paypal or whatnot should they defect.


Except maybe that. That's the problem with trying to do business by mutually assured destruction :P.

I don't think Alice being a miner is a serious consideration, though. In order to get all of her money back, she would need to own a serious chunk of the total hashpower and be able to find a block herself (with her dispute included without being transmitted) before nLocktime ran out. In order to get most of it back, she'd have to at least own a serious chunk of a pool, and hope that her pool mines the block with her 'Dispute' call in it. She's much more likely to burn the contract just to be a dick.

You're right -- these days, sellers have incentive not to do shady stuff because they have a reputation, and likely have some degree of legal accountability because someone (usually the third-party) knows their identity.  Most of that is because sending money over the internet has always required a third-party.  It just so happens that in this case the third-party can arbitrate.

But Bitcoin is different -- the third party to hold the money is no longer necessary (or rather, it's the Bitcoin network).  So if you can find a way to eliminate the chance of needing arbitration, then why bother paying a third-party at all?  That is the Bitcoin way.  Of course, you won't eliminate it entirely, but I bet there's a way to reduce it enough for the MAD option to be like real MAD:  no one really ever uses it, but the threat that a party could use it is enough to keep people playing fairly.  

I think some combination of things Gavin and I are discussing add a lot of value for knowledgeable users, even if it's awkward and different.  For users that can't grok it, they can always just do it through the third-party, as usual.  

---

Gavin,

I just realized one complication -- the 2-of-2 tx (or 2-of-3) has to be created and fully signed before any of the spending tx can be created -- because they need the tx-hash for the 2-of-2 txout, which won't be available until all signatures are collected. That means I see a minimum of 4 "hops" for tx data:

(1) Alice contacts Bob saying "I'll buy this, here's some public keys"
(2) Bob creates the 2-of-2 tx (with SIGHASH_ANYONECANPAY), signs it and sends to Alice  (Bob can't create any spending tx until he gets Alice's sig)
(3) Alice signs the 2-of-2 and doesn't broadcast -- Creates and signs REFUND && LAZY_ALICE, sends to Bob
(4) Bob stashes REFUND and LAZY_ALICE, creates and signs DISPUTE/MAD and SUCCESS, sends to Alice

That's a lot of hops.  The nice thing is, Alice (who has the most money at stake) can hold onto the 2-of-2 and not broadcast it until she gets DISPUTE and SUCCESS signed from Bob.  That gives her a way to avoid locking her money until she at least has the power to MAD the money.

Sounds like there has to either be a third-party server to post data for each other to exchange, or direct-connect.  I don't like either idea.  It's a shame we finally have a way to send money conveniently, but no easy way to exchange all the data for this.  All solutions so far seem to be 80% solutions...

Etotipi (just cant spell your name):
>>to have to share my personal information and transaction details with the entire Bitcoin network, or any subset thereof, just to have my transactions arbitrated.

Its required to share personal information and/or transaction details if you want to have your transaction arbitrated. Its same everywhere, if you pay in cash IRL and you want to have the deal arbitrated you will have to provide personal/transaction details and sign a contract and much more. Same with a third party arbitration service, you will have to provide them with your personal details and transaction details.

>>which may involve contacting both parties and collecting documentation.

Not required. The goal of the voting arbitration scheme is that buyer and seller SHOULD provide documentation before executing the deal, and if the seller's information is incorrect, (for example if the buyer and seller agreed on 25BTC for 50$ on paypal and instead sends 10BTC and writes "want 50$ on paypal for this") seller should REFUSE transaction and let it go back to sender.




Its same IRL too. You can either pay in cash, but then if you are scammed, the cash is lost. Cash is also anonymous.
Or you can pay in bank card, and then if you are scammed, then transaction can be chargebacked by the bank, but card is nonanonymous.


Since "the bank" in bitcoin is all nodes collectively, I think a voting scheme is best here. In this way all nodes collectively decide if the transaction should be chargebacked or not. Then you really get a decentralized "bank" which can do escrow, arbitration and control the money flow.

Yes, if Bob puts in a deposit it adds a step internally.

I think for this to have a reasonable user-interface Alice and Bob's bitcoin clients will need to communicate in real time.

My inclination is to add JSON-RPC methods to bitcoin-qt/bitcoind to support this, and not build it into bitcoin-qt's GUI (or at least not right away). I'm imagining Armory or little "let's make a deal" 2-party-escrow-apps that... Do The Right Thing.

Random UI thoughts:

Alice could be asked "How much do you trust Bob?"  and "How much do you think Bob trusts you?"  If an answer is "not at all" then propose an escrow that requires a substantial deposit.  If the answer is "a lot" then maybe no deposit is required. It'd be way spiffy cool if it was automagically tied into the #bitcoin-otc web of trust sytem...

(... more random thoughts: would IRC as the communication mechanism under the covers be a good or bad idea?  might be a convenient way to prototype...)

I'm imagining Bob gets the details of the proposed escrow and can either agree or disagree (maybe with a message to let Alice know what he WOULD agree to).

As for Bob's deposit adding a step:  I guess Bob-zero-deposit could remove a step if Bob posts his public key as part of his advertisement.  But Alice has to send Bob a message and receive confirmation from Bob that he's still selling the item, anyway.  Even if she expects 0 deposit from Bob, she doesn't want to dump her money into a 2-of-2 or 2-of-3 until she's sure that Bob hasn't already sold the item.

But arguably, if this all has to get dumped into a bunch of opaque binary transfers between clients.  At that point, I guess it doesn't really matter.  3 vs 4 is immaterial (right?). Unfortunately, networking is not my forte.  There's a reason I rewrote everything in Armory except for the networking (and of course, because it's big and scary).  I will have to defer the creation of the protocol to others, and then follow the implementation in Armory.  (like verifying a mathematical proof instead of proving it myself)

So, I think we're in agreement that the clients will have to communicate in some fashion.  How difficult will it be to setup the communication?  Will it require extra steps, such as one person sending the other their IP address?  Or an IRC name?    Then it sounds like the method we define in this thread will not be so sensitive to the number of "hops" unless each hop requires confirmation from the user.  But I think the client can be made to have the user click once what their preferences are, and then the client apply all operations in sequence as long as each step completes/verifies successfully.  If Bob doesn't sign the DISPUTE/MAD tx, the client will not broadcast the multi-sig, etc.    However, that comes with the risk that the client handshakes and processing sequence have a vuln in them...

So there's still questions about whether deposits are necessary (sound like yes, but may be 0% in some cases) and whether there is a LAZY_ALICE tx (sounds like yes, but need to have a dumb-user-capable way for Alice to MAD the money after Bob prematurely broadcasts it).

Is it possible the parties to an escrow could elect which party pays the fee? Or split it.

etotheipi,

what is the state of that project?

I know that this topic is a bit out of date, but just in case you are still interested in a P2P Fiat-BTC exchange, I wanted to post an update of our project and announcement for our crowd funding campaign which will end in a few days (on February 9th).

Bitsquare released an alpha version in December and it can be tested at our regular testing sessions with other traders (testnet).
Today 17:00 CET we have such a session. Feel free to join us on our IRC channel #bitsquare-trading on Freenode.
Further information can be found here:
https://github.com/bitsquare/bitsquare/wiki/Bitsquare-WAN-Parties

Regarding the crowd funding campaign:
We are using Lighthouse as decentralized crowd funding solution to iteratively fund the development of every milestone, leading to a fully functional version 1.0.
The funding goal is 120 BTC for the next milestone and the campaign ends in a few days on February 9th. 
Please visit our web page for more details:
https://bitsquare.io/crowdfunding

If you like to support that project please help us to spread the word.

Best regards,
Manfred

I wish to have both with/without 3rd party escrow in all of the services.