Open Transactions Server: Asset/Bond/Commodity/Cryptocoin/Deed/Share/Stock Exch.

[freequant]

What's an Open Transactions server ?

the server part of the Open Transaction protocol.
it is sort of like a centriliziced bitcoin system. but uses some other principles.

Centralized = Doomed.

MTGOX = Doomed.
no, not neccesarily. the server operator cannot modify account histories.
the system is(AFAIK) more like current bank system, where banks are opening account in each others banks.
it is working like diaspora(the p2p facebook.).

I meant, in the long run, a centralized system that competes with the financial monopoly in place cannot survive in our current political and legal context.
Once Open Transactions grows to the point of threatening the advantages of the financial mob, it will be shutdown for any reason (non respect of KYC, AML,...).
Even if we end up with thousands of servers in hundreds of countries where they cannot all be shutdown easily, once a few people get busted, fined and jailed for willful breach of financial regulations, no one will want to continue hosting this kind of service under his own identity.
The only place where Open Transaction could survive to the unavoidable witch hunting that WILL happen, is as an anonymous hidden TOR service, but then you don't know who is running it: what guarantees you that the system remains fair?

I don't mean to be mean (no pun intended), Open Transaction is an interesting project that brings us forward. It will allow to experiment with smart contracts.
But really, when I say centralized = doomed, I mean it.
Let's not rely too much on Open Transaction as if it was meant to stay forever.
 

[fellowtraveler]

The only place where Open Transaction could survive to the unavoidable witch hunting that WILL happen, is as an anonymous hidden TOR service

That's the idea.

but then you don't know who is running it: what guarantees you that the system remains fair?

Answer: https://github.com/FellowTraveler/Open-Transactions/wiki/CENTRALIZED

--------------------------------

What does Open-Transactions get you, that you can't do on the blockchain?

-- Fully-anonymous and untraceable cash.
-- Instant finality of settlement.
-- A variety of different instruments (markets, cheques, etc)
-- A variety of different currencies.

This is why people in the Bitcoin community are already building these sorts of systems. What is MtGox, but a "centralized" Bitcoin exchange?  The difference is, an Open-Transactions server operator cannot change your "account balance" at whim -- and even if the server disappears entirely, no one gets fucked. Contrast that with the recent MyBitcoin debacle... people will continue getting fucked until they prefer systems with cryptographic integrity.

[markm]

TL;DR: If open transactions is a gamechanging advantage, already-established Gox,Hill etc will use it themselves.


I suspect that politics probably trumps technology, and politics plus mailing-list / members list (established userbase; "goodwill") trumps entry into established market.

I thought hey maybe we can set up a fundraising vehicle akin to an Initial Public Offering. But private of course as a public offering would be huge can of worms requiring a huge private offering first anyway just to raise enough funds for the public offering.

We raise the $100,000 or $2,000,000 or whatever it costs to get a license.

I believe Brian Marsden looked into licenses and found really its almost impossible to get a banking license from scratch, you basically have to buy a bank. He proposed to buy one for some $2,000,000 or so if I recall correctly, that is the asshat I pulled the above 2M figure out of. The $100,000 figure is one I heard thrown around when looking into getting a casino license in some offshore place that is a kind of online-casino-mill or something. Though maybe, it was thought, some folk had gotten one for only $50,000.

Meanwhile, are MtGox and TradeHill already licensed in some jurisdiction?

Wouldn't Open Transactions work on their hardware like on anyone else's?

Oh and I wonder if people have to go through the whole applying for pardons process to get all their childhood parking tickets and weed pecadillos removed from their records before they could get a license at any price?

So lets say finally we manage to pay all the bribes aka fees to actually get a license, why would anyone use the new startup, except maybe the people who put up the money to have jumping through hoops wheels properly greased?

This is so pathetic/stupid because it should simply be a standard *nix service, every system able to process transactions just like every system has open office on it.

(I do notice though, that open office doesn't seem to include what I guess must differentiate a mere office from an actual business, the normal business suite like General Ledger, Inventory, Payroll that I guess means we still need an Open Business suite of tools. All part of a conspiracy to keep people out of business or what?)

-MarkM-

EDIT I have an idea for "know your customer" that will be far far easier (politically) to set up and test for game nations than for real nations, in fact it will reject most real nations due to their not providing sufficient "know your sovereign nations" signature-trails proving that a particular server or customer acknowledges them to be sovereign - "over" them or even at all.

Each nation would have Signature of the Realm signing-nym. It would be signed by that of each nation that recognises them as sovereign.

That way a server can configure which national signature it operates under, and reject customers whose identity is signed by nations not recognised as sovereign by the nation the server recognises as sovereign and actually operates under the aegis of.

Each nation would retain its ability to deploy sock puppets aka secret agents by fabricating false identities, which, I would not be surprised to learn, might well be an important to them part of the whole know your customer thing. They won't want us to know their fake identity secret agents as not being as real as anyone else.

So we'd then have a trail back from each 'nym to some entity we recognise as sovereign, which could of course be ourself, it is up to us who or what we choose to regard as sovereign afterall. But the functionality would enable us to provide KYC trails for any nation that actually registers a signature of the realm for us to check potential customers against.

[fellowtraveler]

If open transactions is a gamechanging advantage, already-established Gox,Hill etc will use it themselves.

Well let's be up-front and honest about OT's disadvantages as well:

-- Brand new, experimental.
-- Open-source library, not a commercial product.
-- Still needs code scanning, auditing, testing, profiling, load testing, beta testing, Q/A, etc.
-- Zero budget.
-- Lone contributor (this is now changing. People are starting to pop up.)
-- While there are many potential real-world applications, so far there are zero actual real-world applications.
-- Difficult for people to understand (incorporates many different financial-crypto "tricks" and integrates them.)
-- See the issues list at github, as well as grep -i the code for "todo".

This is an open source library, meant for all to use where they find it useful, and meant to grow with the entire community. OT cannot be pigeonholed like a single product, nor is it meant to compete with any single product. Most of what I write here is only meant to raise awareness of the difficult concepts involved, and to widen experimentation with and use of these concepts.  I see OT as a "reference implementation", if anything. Moneychanger also. The rest will have to come from all of you.

-FT

[kokjo]

The only place where Open Transaction could survive to the unavoidable witch hunting that WILL happen, is as an anonymous hidden TOR service, but then you don't know who is running it: what guarantees you that the system remains fair?

Answer: reputation.
and also, an operator still can't change the account balance, or revoke transactions, without it would proveabliy getting noticed.

[markm]

While there are many potential real-world applications, so far there are zero actual real-world applications.

Just because some currencies my server supports are fictional doesn't make the ability to buy them using bitcoins any less real than if someone bought any other product or service using real bitcoins.

Furthermore NMC, I0C, IXC, and DVC, even if none or only some of the others so far supported, do not think of themselves as not being real world. They are real world blockchains, tracking real world tokens, which real world people can control by use of real world cryptographic keys.

Sure there can be a slippery slope of amount of real-ness, with bitcoins being easier to cash out to fiat currencies at various exchanges while some of the other supported tokens have no direct cash-out to fiat currencies, but that is itself a real world thing as it is legal and political aspects of the real world that require some things to be farther from direct cashability into fiat than others.

I would like to think that this current alpha test is an alpha test of real world applicability of Open Transactions, in fact. It would be a pity if politics/law prevents real world applicability and even more so if it prevents even mere testing-for-real of whether it is in fact real world applicable.

GPG apparently ships with 4096 bit key capability so it seems that gimping it down to only 1024 bits or even 2048 bits out of fear of some legal/political attempt to prevent real world application of 4096 bit encryption might be a bit of "living in the past". Testing some gimped-down pretend/play version of the thing maybe isn't really a valid test of real world applicability if in the real world 1024 or 2048 bits are no longer considered sufficient bits for real world applications.

Allowing exchanges even just between DVC and BTC should be a real world application. How is it not?

-MarkM-

EDIT: Maybe for the real world we should structure things such that our customer is the signer of the signed nym that that customer uses to prove to us a nym is one of their nyms. That way there can be a separation of powers between  a customer-knower agency that is our customer and the server, which does not need to know the customer-knowers private data about who its own customers are.

As long as we know who signed the certificate/nym, we can direct any enquiries as to on whose behalf that nym does its thing. From our perspective, it does it on their behalf.

[gmaxwell]

Answer: reputation.
and also, an operator still can't change the account balance, or revoke transactions, without it would proveabliy getting noticed.

The power of reputation is easily overstated.  We often think of reputation as valuable because identity is costly. If you make identity cheap you make reputation cheap.  Anonymity requires that identity be cheap, so reputation loses power as a tool.

To state this more concretely:  Say I offer some kind of service that requires concealing my identity and requires I be trusted.  For example, some kind of mixing service. People pay funds to me anonymously and then later I pay out, concealing the connections.  If my identity was not hidden people could use force to coerce me to compromise the mixes' privacy.

Because I am anonymous, however, I can also run off with the mixes funds with impunity. You say "not so, you lose reputation" but this isn't really true.  I don't just run one mix, I run many— a series of mixes which look independent made possible by the cheapness of anonymous identity.   When my second mix is starting to get a good reputation, the first experiences 'catastrophic data loss', 'a hack', or otherwise just vanishes.

Given some reputation ramp rate there is an optimal point for a anonymous operator to cut and run in order to maximize income. There is no reasonable set of system parameters which doesn't make this the case, only identity which is difficult/impossible to replace can serve this purpose.

[jtimon]

As far as I've understood, you only need to trust the issuers of the currencies or the shares to be traded. The OT servers themselves cannot get away with anything.
If the server you use goes down, you expect the issuer you trusted to tell you about another server where you can place his currency.
Are you referring to the reputation of the issuers of the currencies and shares?

[fellowtraveler]

gmaxwell and jtimon are both right--from a certain point of view.

gmaxwell is correct that anonymous reputations can be cheap, and that anonymous operators can cut and run. This is a problem that OT can only get around with the combination of unforgeable transactions and real-time auditing -- and I haven't coded the auditing part yet!

As jtimon pointed out, however, even having a low-trust transaction server doesn't save us from still having to trust the issuer, since he is actually holding our gold!

In the case of Bitcoin, the best solution I have (also not coded yet) is voting pools on the Bitcoin blockchain, ACTING as "Bitcoin issuers" in order to prevent individual transaction servers from disappearing with Bitcoins that were bailed into them. But even in this case, what if all the voting pool members are secretly owned by the same entity? Quite a conundrum, isn't it?

[markm]

Bailing in of coins on my server has begun, someone is bailing in 50 NMC right now.

It doesn't seem practical unfortunately to wait until a hard coded checkpoint before issuing dNMC tokens for them so I am going with the ten confirmation blocks Unthinkingbit listed as standard for secure exchanges.

-MarkM-

[jtimon]

Bailing in of coins on my server has begun, someone is bailing in 50 NMC right now.

It doesn't seem practical unfortunately to wait until a hard coded checkpoint before issuing dNMC tokens for them so I am going with the ten confrimation blocks Unthinkingbit listed as standard for secure exchanges.

-MarkM-

10 confirmations seems safe to me.

Sorry if it is described somewhere and I didn't read it.
How can I bail in some namecoins?
How can I then get them out?

[markm]

Bailing in of coins on my server has begun, someone is bailing in 50 NMC right now.

It doesn't seem practical unfortunately to wait until a hard coded checkpoint before issuing dNMC tokens for them so I am going with the ten confrimation blocks Unthinkingbit listed as standard for secure exchanges.

-MarkM-

10 confirmations seems safe to me.

Sorry if it is described somewhere and I didn't read it.
How can I bail in some namecoins?
How can I then get them out?

The contract specifies Freenode's channel named #galacticmilieu for redeeming such tokens but does say other means can probably be negotiated. And actually #galacticmilieu-otc is maybe even more appropriate.

Basically via IRC on any relevant channel I am on at the time. (Like for namecoins, #namecoin might be reasonable.)

Automation is in the roadmap though, not just directly in/out to blockchain currencies but also ultimately multi-signature stuff on blockchains so multiple servers all have to agree, N out of M of them, to release bailed-in coins.

-MarkM-

[Red Emerald]

OT sounds interesting.  I am not in love with centralization, but it looks like you have some plans for negating the usual problems.

Keep up the good work.

[markm]

I have set up i2p tunnelling that in theory should allow people to connect to my Open Transactions server over i2p.

I haven't yet found anyone who uses i2p and has an interest in Open Transactions / *coin exchanges / *coin stock-exchanges to actually make the attempt to connect to it yet though...

-MarkM-

[becoin]

This is why Voucher-Safe is cash-only: because it enables the issuer to audit the receipts, but maintains full-anonymity and untraceability.

I don't get this. On the one hand they state their design goals is "Payments must be irrevocable and untraceable. It must be physically impossible for any component, even the VP (voucher publisher), to provide a transaction history for any user", and on the other hand all operations (validate, merge, split) require that the VSC (the client) supply the VP with a "Voucher Request" where new serial numbers are assigned to replacement vouchers. Looks like a contradiction to me.

I meant, in the long run, a centralized system that competes with the financial monopoly in place cannot survive in our current political and legal context.
Once Open Transactions grows to the point of threatening the advantages of the financial mob, it will be shutdown for any reason (non respect of KYC, AML,...)

I have to agree. Centralized = Doomed. The entire legal framework (incl. voucher-related) can be changed in a day if financial interests of such magnitude are threatened.

[fellowtraveler]

This is why Voucher-Safe is cash-only: because it enables the issuer to audit the receipts, but maintains full-anonymity and untraceability.

I don't get this. On the one hand they state their design goals is "Payments must be irrevocable and untraceable. It must be physically impossible for any component, even the VP (voucher publisher), to provide a transaction history for any user", and on the other hand all operations (validate, merge, split) require that the VSC (the client) supply the VP with a "Voucher Request" where new serial numbers are assigned to replacement vouchers. Looks like a contradiction to me.

That's because you are not educated on this subject:  http://en.wikipedia.org/wiki/Blind_Signatures

In fact, untraceable digital cash really is untraceable.

[becoin]

That's because you are not educated on this subject:  http://en.wikipedia.org/wiki/Blind_Signatures

I hope you are. Can you please help me understand? I've read the original paper by Chaum, David (1983). "Blind signatures for untraceable payments" - http://www.hit.bme.hu/~buttyan/courses/BMEVIHIM219/2009/Chaum.BlindSigForPayment.1982.PDF

An example payment transaction in 13 steps is described on page 4 where blind signature usage is illustrated. The actors are a bank, a payer, and a payee.

1. In step (4) - Bank returns the signed note c'(c(x)), to payer. And there is a clarification after transaction is done - "the bank does not know which payer the note was originally issued to in step (4)". How is that possible to return something to somebody without knowing who he is?

2. There is a note prior to this example "The critical concept is that the bank will sign anything with its private key, but anything so signed is worth a fixed amount, say $1." This is pretty much in line with the carbon paper lined envelopes voting example where this concept is derived from - 1 vote 1 transaction. But what if payment transaction amounts to, say $12.36 or $0.84?

3. To best of my knowledge there is no bank in the world currently offering blind signature payment transactions to their customers. Why do banks stick to "know everything about every transaction" practice about 30 years after blind signature concept was introduced by David Chaum?

[markm]

3. To best of my knowledge there is no bank in the world currently offering blind signature payment transactions to their customers. Why do banks stick to "know everything about every transaction" practice about 30 years after blind signature concept was introduced by David Chaum?

Try googling "Know Your Customer" ...

...And related regulations; money-laundering laws; war on terrorism; etc.

Meanwhile, after more debugging marathons we have done some essential fixes to Open Transactions to get markets working, and are re-starting the server "from scratch" with new version 0.75c asset contracts for all the assets. Everyone will need the latest Open Transactions and the new asset contracts. This time hopefully will be "for real".

-MarkM-

[fellowtraveler]

That's because you are not educated on this subject:  http://en.wikipedia.org/wiki/Blind_Signatures

I hope you are. Can you please help me understand? I've read the original paper by Chaum, David (1983). "Blind signatures for untraceable payments" - http://www.hit.bme.hu/~buttyan/courses/BMEVIHIM219/2009/Chaum.BlindSigForPayment.1982.PDF

An example payment transaction in 13 steps is described on page 4 where blind signature usage is illustrated. The actors are a bank, a payer, and a payee.

1. In step (4) - Bank returns the signed note c'(c(x)), to payer. And there is a clarification after transaction is done - "the bank does not know which payer the note was originally issued to in step (4)". How is that possible to return something to somebody without knowing who he is?

Imagine that you withdrew $100 from the bank.
Now imagine you give it to your favorite prostitute, and she gives it to her pimp, and he gives it to his coke dealer, who gives it to a coyote, who spends it at 7/11.
Now:  The bank can see that you WITHDREW $100, and the bank can see that 7/11 DEPOSITED $100... but the bank can't see any of the people who had it in-between.
Furthermore, the bank doesn't know if it's the SAME $100. It simply has no way of connecting the withdrawal to the deposit, since the cash is untraceable.

If you have several pseudonyms (public keys) registered at an OT server, and they are transacting in cash, the server can see their withdrawals and deposits, but it cannot see who is giving you that money, and it cannot see where you are spending it. Such is untraceable. A server doesn't even know whether you have a hoard of coins which you are exchanging one-at-a-time, or whether you actually have only a single coin, which you are exchanging over and over again. A server can't tell the difference.
Furthermore, while the server can link a specific Nym's withdrawals to each other (by way of that Nym), it cannot link them to how they are spent, or to any of the activities of your other Nyms. Furthermore, if the server is run in cash-only mode, so that there is only a single Nym which performs only cash-token exchanges, then you lose even pseudonymity, and the system becomes completely anonymous.

How is it possible to return the cash notes anonymously to the user?  ANSWER: Over an anonymous network.

How is it possible that the note itself cannot be traced as it is spent?  ANSWER:  Using blind signatures.
http://en.wikipedia.org/wiki/Blind_Signatures

It works like this:  The client generates the prototokens and blinds them using the server's public mint keys. These prototokens are sent to the server along with the withdrawal request.  The server signs the prototokens using its private mint keys.  For example, if I am withdrawing $100, then the $100 public mint key will be used on the client side to blind the prototoken, and the $100 private mint key will be used on the server sign to blind-sign the prototoken, and then when the client receives the server reply, the client will use the $100 public mint key to UNBLIND the prototoken, and it is now ready for spending.

(This information is already available on my FAQ...)

Once the client has unblinded the prototoken, then it will have a valid server signature on its ID, even though the server doesn't know what that ID is, since it was blinded when it was signed.

The server is, nevertheless confident that if $100 was withdrawn from your account, that it used the $100 mint key to sign the request -- therefore, even though the server doesn't what what the ID is, it still knows that it was signed with the $100 key, and that only the $100 key will successfully verify it in the future.  When it IS verified, the server will know it was good, but it will not know where it originally came from, since this is untraceable.

2. There is a note prior to this example "The critical concept is that the bank will sign anything with its private key, but anything so signed is worth a fixed amount, say $1." This is pretty much in line with the carbon paper lined envelopes voting example where this concept is derived from - 1 vote 1 transaction. But what if payment transaction amounts to, say $12.36 or $0.84?

The answer is that digital cash uses denominations, just like real cash.  In a certain mint file there might be, say, a 1c key, a 5c key, 10c key, 25c key, 50c key, $1 key, $5 key, $10 key, $20 key, and $100 key.

For an example of this, see the sample public mint file posted on the OT wiki:  
https://github.com/FellowTraveler/Open-Transactions/wiki/Sample-Mint

Thus, if you give cash to someone in a specific amount, you will not be giving him a token, but rather, a purse full of them, in the appropriate denominations to amount to your $12.63 or $0.84 etc.

3. To best of my knowledge there is no bank in the world currently offering blind signature payment transactions to their customers. Why do banks stick to "know everything about every transaction" practice about 30 years after blind signature concept was introduced by David Chaum?

Banks are bureaucracies responsible primarily for regulatory compliance and enforcement (related to their monopoly on the issuance of money.)

Their actions do not stem from natural market forces, but from the regulations related to the FDIC, money laundering and tax law, SEC compliance, and so on.

In answer to your question, Why do banks stick to "know everything about every transaction"...? the answer is so they can watch for suspicious activities on your part, report on them to the authorities, and freeze your funds when asked to by the tax enforcement department in your jurisdiction.

Similarly, if you were to ask me why food is so superior to tree bark, since many in the North Korean economy continue to eat tree bark (even though they have known about food for at least several decades), my answer would be that North Koreans eat tree bark not because of natural market forces, but rather, due to the unavailability of good food as a result of government interference in the free market.

[fellowtraveler]

Here's a simple version:

Imagine that I generate a random ID:  "lkjsdf987234"

Next I blind it, using the server's $10 public key:  "876345kjhkjh"

(Next I send it to the server, along with a $10 withdrawal request.)

The server pulls $10 from my account, and then the server
signs the prototoken using its $10 private key:   "876345kjhkjh SIGNED:Server"

(Sends it back to me...)

I then UNBLIND IT using the Server's $10 public key:  "lkjsdf987234 SIGNED:Server"


AT THIS POINT, the token is ready to spend.  As you can see, I have a valid server signature, which can only be verified using the server's $10 key, and which contains an ID that the server DOES NOT KNOW.

That is why it's called a "blind signature" -- because the server signs it "blind".

The server still feels safe that only the $10 key will verify the signature. So while the server has no idea where the cash came from, when it is redeemed, it nevertheless knows whether or not it is any good.
This is also provable to a third party, since the spent token database can be made public, and only the server's $10 public key is necessary to verify the tokens.