FTFY. It is more concise that way.

Joel. I'd be fine with this if it was always transparent who made a mistake. However, courts cannot figure this out in most cases. Thus you make simple, predictable rules that assign responsibility independent of who is at fault. That is what civil law should be about (I think).

In other cases, courts can figure out who made a mistake. Then the court can assign blame. That is what criminal law should be about (I think).

In clear-cut cases you assign blame, in vague cases you default to simple, predicatable rules.

The simple predictable rule here is that the debtor is always responsible for his debt (at least before bankruptcy law)

I think you need to consider this 'feature' more carefully before raising a bounty. It may be a serious 'bug' if implemented poorly.

Giving away a copy of the stake signing key has no risk for the user whatsoever, but the signing keys are valuable to an attacker. Therefore, an attacker could purchase up all the signing keys really
cheap and attack the network. The attack could not be stopped. (attacker could refuse to allow anyone to include txns that revoke the sign key). This must be avoided. Offline stake creation also seems like a bad idea for similar reasons.

Stake signing should not be a risk-free process. Risk-free private keys should not exist.

A better solution is to make two keys: one high-functionality high-risk key, one low-functionality low-risk key.

a) The high risk key can do anything. The high risk key can also move all the coins at once, invalidating the low risk key.

b) The low risk private key can spend 0.01% of its balance per block. Enforce this as follows. Every txn signed by the low risk key must send at least 10000 satoshis to its own public key address for every 1 satoshi sent to another address or used as a txn fee. [this is a block validity rule; txns that don't obey this cannot be included in blocks] This key can then be depleted at a maximum rate of about 1.5% per day.The low risk key can also provide proof-of-stake.  You can expose this key to the network at low risk. You might share it with a well-trusted party. You wouldn't share this key with an anonymous individual however.  

Each wallet should list two types of balances: Spending and saving

1) Savings wallets are unencytped. Savings wallets have low risk private keys online and unencrypted and high risk private keys in cold storage. Savings wallets try to provide PoS.

2) Spending wallets are optionally encrypted. They should have both the low risk private key and the high risk private key online. These wallets cannot provide PoS if they are encrypted.

Users can shift coins back and forth as needed. This is a good improvement for three reasons.

1) It makes stake provision safer

2) It makes the currency safer to use in general (i.e. now it would be like you can call the credit company and report your private key stolen. Think how many unlucky bitcoin users have wanted to do this at some point.)

3) Convenience is maintained because the spending wallet still provides the traditional functionality.

The creditor generally wants transparency. The borrower wants secrecy. However, accepting the transparent market as a borrower should allow you to borrow at lower interest rates. Obviously people can go out and get 'secret' loans in the real world, but just closing off secret markets in BTC loans should help to lower interest rates.

Not cute at all. 

Fine, then give the people who lend to scammers a "Lend to Scammer" tag. I agree, this would be informative.

I don't think that the 'we both made a mistake' idea is helpful here. Obviously they both made a mistake.
When, I lend to someone and 'we both made a mistake', it is the debtor's responsibility to take the hit for the creditor.
If I make an equity investment and 'we both made a mistake', then the investor takes the hit.

Is there some evidence that Patrick has declared bankruptcy / liquidated his possessions? Do you feel that he shouldn't have to because incurring the debt was a 'mistake'?

If so, I have some 'mistaken' student loan debt to clear. Is there a court of JoelKatz available somewhere?

Confirmed. Payment. 1.168 BTC. Thanks!

When you are ready with a fully-functional, attractive site. I have a marketing scheme idea for you.

1) Partner with TangibleCryptography, Bitinstant or another one of these cash deposit direct to bitcoin outlets.
2) Ask them to issue a coupon code for your store (say $100 off $1000). Coupons go to people who purchase $1000 worth of btc from them and who are first-time customers (I assume they do KYC to check this).
3) Eliminate coupon code sharing by requiring that the bitcoins used to make the purchase match the bitcoins purchased from the cash to bitcoin outlet
4) Identify a few popular items that you can offer competitive prices for.
5) Post the item and detailed bitcoin purchase, download, and coupon acquisition instructions on "slickdeals.net" Also post a price comparison vs. Amazon, newegg, etc.

Expect to lose some money off this. The goal is to get name recognition for the bitcoinstore + bitcoin acquisition methods in a very widely used deal forum.  
Ideally you can get the absolute cheapskates who populate slickdeals.net to regularly scan your site for new offers and post about them autonomously.

Presumably the name recognition will help your partner as well.

[I don't think you should do this until the site has been substantially upgraded. It looks a bit like a low-price scam site right now. (I mean that in the nicest possible way.)
Scam sites often involve purchasing hardware from foreign companies. These companies also ask for wire transfer, etc. less reversible methods of payment than credit cards.
Thus you have to improve your image]

Scammer tags are issued in the public interest. Blame is irrelevant.

Borrower in default gets scammer tag -> signal "this person is in default don't lend to this person"
Creditor gets scammer tag -> signal "meaning "

Obviously the latter signal is useless. Therefore, scammer tags are only assigned to borrowers in default.

Regardless of whether Patrick is a good guy or whatever, there may still be idiots who would agree to lend him more funds.
The scammer tag is intended to protect these idiots from their own stupidity.

Because you can sell the marketplace to someone else and the untarnished reputation will be worth more than all the loot. If the FEDS come, however, then take the loot and run.

Sure, businesses may not want transparency because they benefit from keeping secrets. However, this doesn't mean that the world wouldn't be better off if their secrets were revealed to the public.
This is particularly true in credit markets. More transparency -> More stability.

You are using the wrong analogy. It is more like WoW, where people who come in late can buy a full suit of armor, weapons, and get leveled up by someone in China.

You can't claim interest until you win the lottery. But you get to claim more interest if win the lottery later. The purpose of this is to provide an incentive to sign only the most plausible winning chain.

You can think of it like this. 1) You always have some potential interest reward in the chain. 2) You are trying to claim this interest reward by signing. 3) When you sign it is a speculative bet on which chain other people will sign. 4) If you bet on a chain that is unlikely to win, but this chain wins anyway, then you only get a portion of your interest reward and forfeit the rest. 5) If you wait to sign until later when your number comes up in a chain that is likely to win, then you get to receive your full interest reward + any additional interest you have accumulated in the interim.


Perhaps an extended example will help:

Suppose I have principal A and I earn a fraction f(F) of A per block in interest. The fraction f is an increasing functoin of the # of signatures, F, in the current and subsequent 9 blocks. I start out with 99 blocks in accumulated interest and the next block will give me 100 block of accumulated interest.

Now the chain forks into two valid blocks at history H as shown below. I've indicated places where I could sign are marked with "*", and other people's signatures with "b"

H-b-b-b-b-*

H-b-b-b-b-b-b-b

Suppose that 90% of people obey the rule and do not sign a block that is behind. Should I also obey this rule?

Obey Case:

Suppose I obey the rule just like the good 90% of stakeholders. Then the top sequence cannot be extended and will orphan.

The bottom sequence will be extended. Say that I win the lottery 300 blocks later.

H-b-b-b-b-b-b-b-(300 blocks)-b-b-b-b-*1

By now I have accumulated 400 blocks of interest. This is the only chain and I sign it. If I do so, then I earn 400AE[f_*1] in interest where E[f_*1] is the expected value of f_*1 when I sign at *1.

Disobey Case:

Suppose that I sign the top fork and this fork wins (if it fails to win, then the outcome is the same as before). When this occurs the top fork will win with low signatures.
Remember that 90% of stakeholders would refuse to sign the top fork as long as it is behind. Until it catches up it will have the bare minimum of signatures. The only plausible catchup process
is a lucky mining draw as shown below. (It is not clear why a miner would extend the top fork instead of working on the bottom one, but suppose they he does so out of ignorance)

H-b-b-b-b-*2-H-b-b-b-b-b

H-b-b-b-b-b-b-b

Now the top fork is ahead and everyone will sign it exclusively. I will get a reward of 100AE[f_*2] where E[f_*2] is the expected value of f_*2 when I sign at *2. Note that the block I signed has the minimum number of signatures, so E[f_2*]<E[f_1*]

Now extend this another 299 blocks and suppose I win the lottery again at *3. (I might win at another time, but this case is the easiest to explain)

H-b-b-b-b-*2-H-b-b-b-b-b-(299 blocks)-b-b-b-b-*3

This is the only chain and I sign it. If I do so, then I earn 300AE[f_*3] in interest where E[f_*3] is the expected value of f_*3 when I sign at *3. This case is identical to the obey case, so we can assume that E[f_*3]=E[f_1*].

What is my total payoff if I disobey? 100AE[f_2*]+300AE[f_*3]

Since [f_2*]<[f_3*]=[f_1*], the payoff I get if I disobey is smaller than the payoff I get if I obey. Compare,

100AE[f_2*]+300AE[f_*3] <  400AE[f_*1]

Therefore, if a positive fraction of other stakeholders obey, it is a nash equilibrium for me to obey also.

I'm assuming that he was mining in secret, but then he revealed his secret chain to the world. Due to promiscuous signing (if I can call it that), the secret chain can catch up with less than 50% work.

The robohash robot is great. Optionally print out an image of the robot next to the identicon?

Users could check that the identicon maps to the robot and robots are easier to remember than patterns.

The robots would be good branding for bitcoin. It looks like robohash is open source.

As have many scammers in the past who went on to scam again.

There should be objective criteria for assigning a scammer tag.

Debtor in default -> Scammer tag until debt is paid off.
Not in default -> No scammer tag
Not a debtor -> No scammer tag

Without objective criteria, the tag will just depend on who your friends are. As it does today.

Any idiot could see that these arrangements were scams from the outset. Now the schemes are in default and it is time to deliver the scammer tags.
If you don't assign a debtor in default a scammer tag, then what are scammer tags for?

You are arguing that Patrick and MPOE are idiots. That may be the case. Regardless, the defaulted debtor should get the scammer tag.

Awesome news. I am an economist, so I can't judge integrity (you need to have integrity yourself to do this). I learned from the forum that libertarians are idiots.
I'll take your word on it that they are dirtbags as well.

If you want to suggest the ABAB system with PoA added on top, that is fine with me. If you want to do just PoA alone, then I don't understand. PoA is not very strong against someone with a lot of work, i.e. it is not strong without substantial block reward.

Simple Attack where PoA is worse then PoW (no bribery):

All chains are signed by default if stakeholder participates. A fraction p of stakeholders participate. Attacker owns positive stake share, 0<s<1  and 0<p+s<1.  Attacker has workshare 0<w<1 of aggregate hash rate and the extra weight on signed blocks T. Attacker uses his stake to swing things in his favor.  Attacker wins if (1+pT+sT) w > (1+pT)(1-w) or if w/(1-w) > (1+pT)/(1+pT+sT). If T=0 (i.e. pure PoW) then the right hand side is equal to 1. If T>0, then the right hand side is less than 1, indicating that the attack becomes easier. In practice, however, the difference is really small unless p is small and s is large. Just provide incentives to keep p high and you should be fine. I'm much more worried about bribery than this.

Stuff you can do about bribery (in order of perceptive importance):
1) The reward system should discourage people from signing multiple chains (i.e. the coin-age scheme and/or ABAB scheme). Bribes would still work, but you could never get away with bribing a very small minority. You would need to bribe the majority. This is potentially difficult (I don't really think everyone is going to accept a bribe).

2) Remember that the feasibility of bribery depended on the attacker mining a one-block long secret fork. Without the secret fork, all the bribes can be stolen and then ignored. A simple defense is to make secret blocks computationally infeasible.

Consider the scheme with 5 sequential signatures. If the attacker has 1% of stake, he needs to mine 10 billion blocks just to construct a one-block long secret fork. It is reasonable to assume that the reward from mining 100,000 blocks on the main chain exceeds the reward from theft (I can't really say 10 billion because the attacker dies first). If you just do 1 signature, then the attacker with 1% stake needs to mine 100 blocks to get the one-block long secret fork. That still would help to discourage him, but I think you need at least 2 signatures -> 10,000 blocks for this to become really effective.

[You could put double-spends in a public fork and then issue bribes to extend the public fork. Thus, it makes sense to prevent double-spends in public forks. I think you can do this by requiring the miner to announce his tentative block to any signatory who requests it. The peers can just pass around the block header and the miner's IP address. The signatories can check if they are designated signers based on the block header. If they are, they can request full txn information from the miner's IP address. Once they have verified the txns are valid, they can sign the txn information and the block header, and submit this back to the miner. The miner can then send the updated data to the next signatory. After the fifth signature, the miner and the fifth signatory can announce the full block on the P2P network.]