[ANNOUNCE] OpenPay - Entering Burn In, Shake Down & Alpha Test phase.
isis:
OpenPay will be officially entering pre-launch next week. I will be posting the URL for the Open Payment Alliance website as soon as the Pre-launch is ready.
Pre-launch will be comprised of 3 primary phases.
The first stage is the "Burn in" phase, we will be laying out the infrastructure and hooking all the pieces together. It is expected to last 2-4 weeks. During this time anyone who wants to participate will receive hands on assistance in getting set up and connected to the network.
The second stage will be the "Shake Down" phase, this will be a sort of wargames period. The Open Payment Alliance will pre-load the network with up to 1000 bitcoins, all of which will be constantly traversing the network. The bitcoins on the network will all be real and they will be involved in binding transactions that will be occurring during this phase. The purpose is to try and break (or break into) the system. Anything you can come up with in terms of an attack will be fair game on the network during this time. Our goal during this time is to learn how well the network and our reference stack can withstand sustained assaults, attacks and threats. All the money you can capture during this phase will belong to you, no questions asked. Our most significant goal is to learn how to analyze and defend against the attacks, so while we would appreciate any information you can provide, it's not strictly necessary. This period is expected to last 1 to 2 months and during this time there will be a public scoreboard on the OPA website where you can see who got away with what and how they did it, (in as much as we are able to determine these facts).
The third stage is the Alpha test phase. During this phase we will be primarily focused on bringing real merchants online. Service providers who wish to bring merchants online during the Alpha test will be given direct one on one systems analysis, IT consulting, software support and even low or no cost custom software development if needed, to hook their customers and existing services into the OpenPay network. The Open Payment Alliance will cover the software development and customization costs to bring on merchants of any size.**** This period is expected to last up to 6 months or until we have 1,000 unique merchants using the system, whichever comes first.
What is OpenPay?...
For those who do not know about it already, OpenPay is a new EMV compatible payment network that rides on top of the bitcoin network, and uses bitcoins as a currency agnostic interchange medium.
The end result of OpenPay is that you will be able to spend your bitcoins at any merchant that is able to accept Visa or Mastercard.
For the consumer, OpenPay means you will be able to use an EMV chip & pin smartcard, an NFC capable device such as your smartphone (there will even be a magstripe card option for those of us still in the dark ages) to spend your bitcoins at your local merchant.
For merchants, OpenPay means you will be able to accept payment in your choice of currency (BTC, Local, or other), with no network fees* or fear of charge-backs.
There are also no restrictions on what can be sold or transacted on the network, if it's legal in your jurisdiction then it's allowed on the network (The anonymity and security aspects mean we have no idea who is transacting what, where or why. We are not encouraging illegal behavior here, just saying that OpenPay is designed to be highly resistant to tin pot dictators, tyrannical governments and peeping spouses. The only way we could do that is to create a pure common carrier network with high strength encryption, and complete anonymity. Still the transactions all settle and finalize on the bitcoin network so don't do anything illegal please.) .
For service providers such as mining pools, banks, and currency exchanges (or people that want to start one or be their own), OpenPay is designed to be an essentially unbreakable, low cost business opportunity and value added service for your clients.
This is because the OpenPay stack is comprised of a series of modules aka services that are designed to be highly secure, very hard to crack and of little or no value on their own.
In other words an attacker trying to crack an OpenPay deployment would spend a very long time trying to do so, only to find out they were wasting their time; they would need to compromise your whole deployment before gaining anything of any value and even that would be highly questionable. OpenPay's security model is not dependent upon any component or collection of components, and even services within a single deployment always assume all the other services are already compromised and therefore it all runs in a 0 trust mode. There is no security through obscurity,
This means that an entity running the OpenPay stack in it's recommended configuration should not be susceptible to the kinds of attacks and break ins we have seen lately.
Features...
Security -
The OpenPay network is designed to be free of any viable attack vectors by utilizing security industry best practices at each stage of the payment processing pipeline.
The OpenPay network features strong anonymity via the use of a P2P based Onion routing model (similar to TOR).
All messages on the network are encrypted using AES and are unreadable by anyone except the sender and intended receiver**.
Offnetwork (anything not traversing the internet) Interprocess communication is handled via SSL/TLS and a certificate restricted ACL.
Opportunity -
OpenPay is completely de-centralized, the Open Payment Alliance is a volunteer organization tasked solely with the development of the OpenPay reference implementation and standard. This means that service providers are expected to come online over time and provide the actual services on the network. In a nutshell, it means anyone can be their own bank, or they can work with their existing institution, it's totally up to the participants. No centralization means no central bank or other authority to dictate what can and cannot happen to your money. It also means that anyone with the necessary skills and an entrepreneurial bent can begin offering their own services over OpenPay without the "blessing" of a central authority***.
OpenPay's design and reference implementation are completely open, and will be released under the terms of the GPL.
Anyone can run their own payment processing node on the system, detailed deployment instructions will be made available, along with best practice recommendations.
OpenPay features a built in deposit insurance system. Service providers who choose to participate will receive 100% deposit insurance coverage for all bitcoins held in OpenPay enabled accounts.
Caveats & Fine Print...
*OpenPay has no network fees, if you choose a service provider they may charge you a payment processing fee, read your contract carefully.
**There is a known side channel attack against AES on Linux servers that use the "Completely Fair Scheduler" (CFS), Windows is well known as a security nightmare. OpenBSD is our recommended deployment platform. The reference implementation is written in Java and will run on anything that has a JVM, including *BSD, Android/Chrome OS, all flavors of Linux, Windows and ought to run just fine on OS/X. Still you need to make sure you properly secure your servers, nothing can protect you completely once an attacker gets root or administrative privileges. We get around it to a great degree by running several separate, low value services on separate physical servers. Still if you don't have a computer security background you should hire someone who does to manage your deployment, don't run unnecessary risks.
***No central authority also means no one to vet out scammers and other bad apples. Please do your homework on any entity before signing a contract or giving them your money.
**** The offer for free development and support is limited to merchants who have a physical retail presence. We will still assist web based merchants with shopping cart integration etc, but the offer is primarily intended to help offline retailers accept OpenPay & Bitcoins as painlessly as possible.
iCEBREAKER:
Quote from: isis on July 07, 2012, 08:11:37 AM
Caveats & Fine Print...
**There is a known side channel attack against AES on Linux servers that use the "Completely Fair Scheduler" (CFS), Windows is well known as a security nightmare. OpenBSD is our recommended deployment platform.
Oh no, you just *had* to go and say BSD is more secure than Linux! That caused epic flamewars, back in the Silver Age of Bitcoin (ie last summer).
Good thing that jgraham isn't around to hear about it. He'd have a conniption fit. :D
jim618:
I have crossposted this onto the bitcoinj mailing list as I sure they will all be interested.
More technical/ API details please !
:-)
isis:
Quote from: iCEBREAKER on July 07, 2012, 10:53:39 AM
Quote from: isis on July 07, 2012, 08:11:37 AM
Caveats & Fine Print...
**There is a known side channel attack against AES on Linux servers that use the "Completely Fair Scheduler" (CFS), Windows is well known as a security nightmare. OpenBSD is our recommended deployment platform.
Oh no, you just *had* to go and say BSD is more secure than Linux! That caused epic flamewars, back in the Silver Age of Bitcoin (ie last summer).
Good thing that jgraham isn't around to hear about it. He'd have a conniption fit. :D
Actually I prefer Linux to BSD myself. But the CFS attack against AES is specific to linux and it's potential impact cannot be discounted. It doesn't necessarily require root privileges to execute and can result in the full recovery of the key in just a few minutes, which would be really, really bad, at least for that stage of the pipeline.
OpenBSD is the only recommended platform for deployment at the moment, although I don't see a problem with a properly secured linux such as SELinux so long as the kernel isn't running CFS.
jim618:
I have been reading some of your earlier posts and this is a very interesting project.
(I don't understand all the POS protocol but then the software stack will hide a lot of that)
I presume that you will initially be concentrating on magstripe for the North American market ?
I am in the EU and it is all Chip n Pin over here now - I honestly cannot remember the last time someone swiped one of my cards.
Navigation
[0] Message Index
[#] Next page