Sharing CoinPal trust data

[mndrix]

The forum has many discussions about trust and reputation.  Perhaps it would be useful if CoinPal buyers could choose to make their purchase history available as one demonstration that they're trustworthy.  I currently do this by rating customers in #bitcoin-otc when asked.  However, some people don't use IRC and may want their trust broadcast in another way.  Consider this a solicitation of ideas for ways to broadcast that trust.

Someone suggested that CoinPal could automatically sign a customer's PGP key after a successful transaction.  I know very little of PGP's best practices. Is this a good idea?  Can such signatures be revoked if a customer charges back after the initial signature?

How about providing customers with a "letter of recommendation" URL which they could share with others?  This URL would display a summary of the customer's purchases (date and BTC amount).  Since the page would be served from CoinPal's site, a third-party could be confident of the document's authenticity and accuracy.  If a customer charged back a payment, it'd be immediately reflected on the page.  I suppose this "letter" could either be English text or a JSON document.

How about a PGP-signed "letter of recommendation"?  It'd be similar to the above letter, but it would also have my PGP signature.  That way, it would persist even if CoinPal crashes, dies or otherwise disappears.

I plan to continue supporting #bitcoin-otc's web of trust and improve CoinPal's interaction with it if people are interested.  Thanks for any feedback.

[1714895043]

1714895043

[FreeMoney]

Would it be reasonable to just have a transaction history page for each user and a check box to make it public and make that public page easy to link to? Is PGP stuff necessary?

[doublec]

Would it be reasonable to just have a transaction history page for each user and a check box to make it public and make that public page easy to link to? Is PGP stuff necessary?

It would be good to allow a user to sign the transaction history page, or provide some way for the user to put a signed message there, so that users of the gpg based web of trust in #bitcoin-otc can prove an association between their history on CoinPal and #bitcoin-otc.

[FreeMoney]

Ah, yes, that makes sense. It's harder than I first thought.

But it isn't the case that no one will ever want to share PP. People who do PP transactions with others will be sharing it out of necessity. It would be some help to be able to link to proof that your PP email has had 8 successful CoinPal trades over the last 3 months.

[FreeMoney]

Would it not make possible 'buying' reputation by making a few honest but small trades just to take money and run on the first large trade?

Obviously don't be the guy who trades $1000 with someone who's been trading $40s. But it's doubtful that all those $40s were setting up for a big $100 score. Also it's just one piece of info, if someone has 30 reasonable posts maybe you are undecided, but if they also did a trade 2 months ago w/ CoinPal for about the same amount they want to do with you now you are probably fine.

[caveden]

I think this might be a good idea, but the user should have the option to just disclose the info for people he wants too, for privacy reasons.
Maybe publicly announcing the PP addresses of those who perform chargebacks would be a good idea too.

The only thing that worries me a bit is that chargebacks normally happen when the true owner of the account gets scammed. So, by tainting the account as untrustworthy, you would be marking the victim of a scam, not the scammer himself. It's true that the victim could be responsible for not properly protecting his account, but even still... most people just don't know how. The true criminal doesn't get his reputation touched.

[semyazza]

Would it be reasonable to just have a transaction history page for each user and a check box to make it public and make that public page easy to link to? Is PGP stuff necessary?

Problem is the way of verificating authenity.
At the moment most trust 3 things.

• Nickname in the community
• GPG key
• Paypal address (this later translates to realname)

And I'm quite sure none want to share their PP address on CoinPal site

this needs to be furtherly discussed

SHA-256 Hashes of the paypal e-mail addresses would be able to keep them private.  Also, what bitcoin-otc is doing with the portable account via GPG verification is very useful.

[Daniel]

Trust is fundamentally about credit, and we're already developing appropriate infrastructure in the Ripple community for this type of activity. I would therefore suggest consideration of this approach for your trust tools. I've had some discussions with nanotube about using Ripple-based technology to serve the purposes of distributed trust, and I think this would be a good avenue.

My service Rain Droplet (https://raindroplet.info/) allows people to record their credit relationships, including limits, balances, and transactions. Based on the credit data it can automatically calculate social network trust ratings. There's an easy interface for any user to check the credit score (i.e. decentralized trust index) of any user with yet any other user. All this is free and open, and I welcome you to try it out.

Please let me know if you have any questions or feedback or anything.

[mndrix]

It would be good to allow a user to sign the transaction history page, or provide some way for the user to put a signed message there, so that users of the gpg based web of trust in #bitcoin-otc can prove an association between their history on CoinPal and #bitcoin-otc.

Good idea.  I'll include an optional field so one can add arbitrary text to his transaction history page.  Users who don't use GPG can ignore the field.

I suppose I could also show a user's GPG key fingerprint on the page, if I verify he owns the key.

[mndrix]

And I'm quite sure none want to share their PP address on CoinPal site

It would be some help to be able to link to proof that your PP email has had 8 successful CoinPal trades over the last 3 months.

It sounds like including the PayPal email address should be optional.  It should be easy to implement.  I want users to be able to display the trust data that's meaningful to them.

[mndrix]

Maybe publicly announcing the PP addresses of those who perform chargebacks would be a good idea too.

As you mention, in most cases, this actually flags the victim as dishonest rather than the scammer.  In my experience, PayPal trading history can only suggest honesty, not prove dishonesty.

[mndrix]

Any preference on whether the trading history is displayed in English or pretty-printed JSON?  If it's JSON, other services could import the data and assign extra trust where it's justified.

[nanotube]

just a note that the trading history of "john doe" would be pretty useless without any ways to verify that the guy you're talking to is the same guy.

if trade history doesn't include paypal email - /anyone/ can claim any trade history.

if history does include paypal email, then someone who gained access to that paypal account can claim it, and then the real owner will charge back. (and we all know how many stolen paypal accounts there are floating about)

if history includes something like gpg key - it becomes a lot more trustworthy. pgp keys can of course also be compromised, but stolen pgp keys are much less likely than stolen paypal passwords, since these tend not to be targeted by the run of the mill trojans out there. (yet)

so in summary: definitely a good idea to allow people to verify a gpg key to include on that page.

another possibility: hash of phone number?

finally: yes working with daniel on the ripple bits. stay tuned.

[nanotube]

SHA-256 Hashes of the paypal e-mail addresses would be able to keep them private.  Also, what bitcoin-otc is doing with the portable account via GPG verification is very useful.

I think you jumped over a good one here. You could make an API available based on paypal address. Sha-256 hash their paypal email plus say "somesupersecretextrakeyhere". They pass the hash to you, you look up what you have stored for that user, and return their rating to them. Wouldn't require any keys or anything, just a simple hash. You may even be able to return the info that you use for quantity allowances. If they have traded x times, or over x period of time, it may be useful in different metrics or situations.

but how is that useful for /others/ who want to verify what Bob's rating is? doesn't that mean that bob has to reveal his supersecretkey in order to allow others to query and verify his account?

[mndrix]

just a note that the trading history of "john doe" would be pretty useless without any ways to verify that the guy you're talking to is the same guy.

Thanks for pointing out the specific problems.  My current prototype shows the PayPal email address on the transaction history page.

if history does include paypal email, then someone who gained access to that paypal account can claim it, and then the real owner will charge back. (and we all know how many stolen paypal accounts there are floating about)

I plan to support pgp keys eventually for those who want it.  I think that's the most resilient way to share trust.  Until then, I think an attacker stealing a CoinPal user's PayPal account is unlikely enough that the transaction history with the PayPal address should be helpful in many cases.

[mndrix]

They just need his paypal email address. They don't have to give any key out. It also maintains the privacy of the users, without the paypal email address they can't look up anything.

Thanks for reminding me of the SHA-256 suggestion. I'm trying to understand the API you described and how it'd work.  If the merchant using the API already has the PayPal email address, why does the address need to be hashed?  CoinPal could just show respond with the clear PayPal address, since the merchant already knows it.  If the merchant doesn't know the PayPal address, he's presumably not in a transaction with this CoinPal user and won't know the secret transaction history URL for that user.  What am I missing?

I'll publish my protoype shortly.  Perhaps that'll help in the discussions.

[mndrix]

The prototype is available.  You can share your CoinPal transaction history by filling out the form and sharing the URL of the page you end up on.  Anyone with this URL can view your PayPal email address and your entire CoinPal transaction history (now and in the future).  There's currently no PGP integration.  You can't include an optional message yet either.

Here's a sample transaction history for my PayPal test account.

[nanotube]

I plan to support pgp keys eventually for those who want it.  I think that's the most resilient way to share trust.  Until then, I think an attacker stealing a CoinPal user's PayPal account is unlikely enough that the transaction history with the PayPal address should be helpful in many cases.

indeed, that is not a very likely scenario. while stolen pp accounts are numerous, the intersection of (stolen pp accounts) & (coinpal users) & (thief aware of coinpal and bitcoin and using the coinpal tx history info to steal btc) seems quite small

The prototype is available.  You can share your CoinPal transaction history by filling out the form and sharing the URL of the page you end up on.  Anyone with this URL can view your PayPal email address and your entire CoinPal transaction history (now and in the future).  There's currently no PGP integration.  You can't include an optional message yet either.

Here's a sample transaction history for my PayPal test account.

very cool. now if only you add a couple of form fields for pgpkey, and signed verification message, and then a query url by keyid with json output... i could get it working on the OTC channel.

[abstraction]

Would this scenario work and satisfy most privacy concerns?

CoinPal user John wants to share his history with "Garden Community" of which Sally is also a member. John enters his nickname for "Garden Community" (JohnnyGreenThumb), PayPal address, and CoinPal OrderID. CoinPal generates a public address for John to post publicly. On the history page, it shows JohnnyGreenThumb instead of his PayPal address.

John also wants to post his history in the Bitcoin community, except that he is known here as JohnnyGoldThumb. So, he follows the same procedure as before, but uses his Bitcoin nickname instead. "JohnnyGoldThumb" shows up on the history page.

Back to Sally. Sally wants to do business with John. She shows John her history page, which displays "GreenThumbelina" instead of her PayPal address. She also requests CoinPal generate a new, temporary history page which actually does show her PayPal address. The page showing the PayPal address will expire 15 minutes after the first time it is accessed, so even if the link gets out in the open, it won't show any data. If John agrees to do business with her, he generates his page and they exchange the temporary pages to verify that they are who they say they are.

A state diagram would be nice to show this, but the concept of web of trust is new to me so I'm still learning.

[mndrix]

Would this scenario work and satisfy most privacy concerns?

You raise a good point that CoinPal customers may want to share their history with different communities in different circumstances.  I'm leaning toward doublec's suggestion of allowing customers to include an arbitrary message on the transaction history page.  That would allow someone to implement basically what you describe.  If each new message generates a new URL, it should work well.