What pure or applied technical measures can be taken to protect
the Internet against future forms of attack?

Author: Richard Kay
Email: Rich@driveout.demon.co.uk <mailto:Rich@driveout.demon.co.uk>
Phone: +44 121 331 5440
Postal: Faculty of Engineering,
University of Central England,
Perry Barr, Birmingham B42 2SU,
UK


1. Abstract

This paper proposes an evolving and layered approach to solving
the stated problem based on a combination of authentication
techniques and payment protocol developments. The solution
proposed involves Internet Service Providers agreeing amongst
themselves to restrict access to new services based on a secure
authentication protocol, possibly involving accounted
micropayments. This enables the identification of users such that
it becomes possible to trace and prosecute misusers and for money
to be handled securely, effectively and at low cost over the
Internet. The most innovative aspects of this paper concern the
combination of approaches and the payment protocol proposed.


2. Contents

1. Abstract
2. Contents
3. glossary
4. Introduction
5. Contractual agreements between ISPs and users
6. Portable embedded systems and public-key authentication
7. The recording of context or was he or she present ?
8. Using accounted transactions as a security guarantor
9. The MRS as an Internet-based payments system
10. Conclusion
11. References


3. Glossary

AUP - Acceptable Use Policy. A statement by an ISP of the
acceptable and unacceptable network uses which users of their
service are expected to agree to and accept, as a condition of
provision of network services.

DNS - Domain Name System (1). A naming system involving
hierarchical delegation of network-naming authority to ensure
unique names within a network. Names formed using this system
consist of a sequence of components with the largest entity at
the right hand side, e.g. the domain name uce.ac.uk is used for
the University of Central England (UCE) which is part of the
Academic Community (AC) subdomain of the UK top level Internet
domain.

ISP - Internet Service Provider. In this paper this term is
used to mean an organisation which provides end users with access
to the Internet.

LETSystem - (2). A non-hierarchical double-entry account-based
payment system used to record payments between participants and
the status of their accounts with each other. As all accounts
start at zero and external money does not technically enter or
leave the system all accounts within a LETSystem at any given
time will add up to zero.

MRS - Multi-Registry System (3). An Internet-based design for
automating account-based transactions between distributed
accounts involving multiple payment systems, currencies and para-
currencies such as airmiles, loyalty points, barter currencies
and LETSystems etc.

UBE - Unsolicited Bulk Email often known as spam. Email
messages sent in bulk to recipients who have neither requested
messages from the originators, nor consented to receive messages
relevant to the contents of such.


4. Introduction

Computer crime and terrorism, as with other hostile actions, are
primarily social phenomena and are likely to have mainly social
solutions assisted using appropriate technical means. A
particular issue with Internet security includes the ease with
which operations which may be illegal in one country can be moved
to or established in countries with favourable legislation. The
solutions proposed in this paper recognise this difficulty as
given, and will not require government action or special
legislation other than to remove legislated barriers to the
development of appropriate technical means, e.g. in the field of
encryption. This paper assumes the enforcement through the civil
courts of appropriate contractual obligations between Internet
Service Providers and their users to be feasible.

In the case of physical defence and security, the zenith of the
bastion approach historically occurred with the elaborate armour
and fortifications of the Middle Ages. Since then, with the
growing sophistication of possible methods of physical attack,
the primary emphasis of defence has been based upon the
probability of being able to identify and carry out retributive
measures against likely attackers, which increase the probable
cost of attacks to more than the advantages likely to be gained.

This paper is based on the consideration that a similar change
of emphasis is likely to take place in relation to strategies
appropriate to the defence of Internet-based systems. While host-
based and personal approaches to information-asset security
against hostile actions are unlikely rapidly to become
irrelevant, these are expected, however, to become a less
significant part of the overall mix.

This paper is therefore particularly concerned with the issue
which affects Internet security resulting from the extent to
which it can be used anonymously, and the extent to which it can
be used for hostile purposes without the perpetrator being easily
identifiable.

No single security measure, taken on its own, is likely ever to
be able completely to resist all conceivable forms of attack. For
this reason practical security is likely to involve a layered
approach. For example the use of smart cards in storing digital
cash or digitally signing payments is likely to be accepted where
the cost of attack is greater than the maximum advantage an
attacker might gain. This is likely to place practical limits on
the sizes of transaction which will be carried out through such
means with transactions over particular limits requiring more
intensive checks; transactions of greater amounts are likely to
require further supportive evidence of the intentions and
identities of the parties involved.

One of the most difficult classes of attack to counter involve
those carried out by an insider. Possibly the most difficult
class involves a conspiracy of insiders (e.g. as caused the BCCI
bank failure). Those devising means of countering such attacks
will try to prevent any individuals having much information or
insider access to more than 1 or 2 layers of a multilayered
approach. For example, a bank might want to prevent those
servicing the transaction recording parts of an ATM system to
have no access to the networking encryption parts of the same
system and vice versa.


5. Contractual agreements between ISPs and Internet users

All known Internet Service Providers (ISPs) have acceptable use
policies (AUP) to which they expect their users to agree before
they will give these users access to the Internet or Internet-
based services. This is not something that has arisen by chance.
For the Internet to be able to carry out its technical functions
ISPs require peering and backbone-access contractual agreements
with each other. These agreements have resulted in the ISPs
having to impose conditions upon their users as part of the
contract resulting in provision of access.

The implications of this are demonstrated, albeit to a limited
extent, in the sense that ISPs will refuse mail connections (4)
with other ISPs who adopt a friendly or even a neutral approach
to customers and users who originate unsolicited bulk email
(UBE). This implies that ISPs will need increasingly to impose
access conditions upon their users in order to be able to provide
connections to certain Internet services.

Those like myself who are in receipt of frequent UBE might well
question the effectiveness of this. While the measures against
UBE are clearly not yet completely effective, given the very
substantial differences in delivery cost between UBE and other
forms of direct marketing, it would appear that without the
measures already in place to counter this threat resulting in
increases to the total costs to perpetrators of this form of
misuse, the Internet mail service would have ceased to be useful
for many purposes to many users some time ago.

An examination of the contents of UBE suggests a changing
pattern. A year or more ago it was very common for UBE to contain
pointers to web sites being advertised. This is no longer the
case, presumably because pressure within the ISP community
results in rapid termination of service to these web sites as
soon as a related UBE operation is detected. This is demonstrated
by the fact that any valid return addresses (without which UBE
can have no conceivable financial motive) now used by senders of
UBE almost exclusively involve relatively inefficient non-
Internet based forms of communication.

My conclusion from this analysis is that contractual agreements
between Internet Service Providers and each other and between
ISPs and their customers or users are feasible to enable the
construction of networked applications of greater value than
could otherwise be obtained. The logical development of this
implies the initial encouragement and later enforced use of
stronger authentication methods to restrict network access to
identified users. The possibilities which this mechanism might
enable make other associated technical Internet security
solutions more fully scalable.

It is unlikely that ISPs will want to remove access to existing
users who are unable to invest in or adopt new methods or
techniques. They might decide, however, to require improved
security in respect of new Internet services or services provided
at lower cost to the user.


6. Portable embedded systems and public-key authentication

This approach involves the adoption of a standardised means of
authenticating Internet users and their automated agents based
on the embedded applications of public-key digital signature
technology e.g. within credit-card sized smart cards or similar
devices.

Current commonly-used automated methods of authenticating
individuals or software agents leave much to be desired.
Passwords and PIN numbers are too easily lost, handled
insecurely, forgotten and stolen. Proposed methods involving
biometrics e.g. though voice or fingerprint recognition, while
having attracted much research interest in recent years, are
either considered too intrusive (e.g. retinal scanning) or result
in too many false positives (i.e. impersonations being accepted
as genuine) or false negatives (i.e. genuine users being rejected
as impersonators) or suffer some combination of these
disadvantages.

The weaknesses of an unencrypted password-based system within a
public electronic environment were demonstrated some years ago
with the introduction of electronic remote-control key-code
access to vehicle security systems. This development was very
soon followed by the criminal use of scanners in car parks so
these keys could be recorded and mimicked and illegal access
gained. Similar weaknesses are attributed to all plaintext
password transmission systems over the Internet or local area
networks.

There are, however, clearly advantages in security systems being
able to identify or authenticate users where public channels are
required for the exchange of the messages involved in
authenticating the user to the system or the system to the user
or authenticating both to each other. One approach to this
requirement is known as the one-time pad, where the
authenticating and authenticated systems hold a secret set of
codes or passwords which may only be used once, typically
requiring that each password is used once only and in the correct
sequence. However this and most other approaches suffer from the
drawback that secrets must be shared between the authenticated
and authenticating systems. This results in further technical and
organisational problems concerned with key management.

The most promising approach to these problems is known as public
key encryption. With this technology keys are created in matched
pairs, with each pair comprising a private and a public key. The
public key can be safely disclosed and used to verify messages
signed using the private key, because the private key cannot be
deduced from knowledge of the associated public key. The
advantage of this approach is that it does not require any
secrets to be shared or held by anyone other than the person or
party who has most to gain by keeping the private key secure.

The technical barriers to widespread adoption of this technology
are rapidly being overcome. It is not easy to keep a private key
stored on a floppy disk or PC very securely when it has to be
processed using a program on a PC. These operational procedures
are therefore unlikely to be adopted by most PC users. However
when:

a. a private key can be held on a credit-card sized smart device
with an embedded processor such that:

b. messages can be transferred to this device, encrypted and
signed on this device and exported from it in such a manner that
the private key never leaves this device,

c. the key is not easily obtained by anything external to this
card and

d. only one copy of this private key is ever available,

then security of digital signatures based upon such devices and
transmitted to other systems depends upon fewer uncertainties
than exist with traditional PIN, key or password-based systems.

Using devices of this kind the security of the signatures created
using them will depend upon:

a. The technical difficulties of breaking the encryption
algorithms used, either through an exhaustive key search
involving trying all possible key combinations or through
weaknesses or trapdoors in the public-key algorithm.

b. The difficulties of subverting the process by which keys are
created and issued such that another copy of the private key can
be used by an attacker. This depends upon an attacker having
privileged access to the card manufacturing and issuing system.

c. The difficulties of obtaining information leading to discovery
of secret keys by physically or electrically probing and
analysing the smart card devices themselves. This kind of attack
requires that the attacker have access to the card and might also
involve expensive equipment and skills which are highly
specialised (5).

d. The ability of attackers to steal the smart encryption card,
together with PIN numbers or passwords needed to activate such,
and use these in furtherance of an attack prior to the legitimate
owner discovering this loss and repudiating the compromised keys.

e. The ability of attackers to coerce the users of smart cards
to make signatures or decrypt information using these against
their will.

f. The ability of persons or systems verifying digital signatures
to establish that the public key associated with signatures and
used in this verification process genuinely belongs to the party
using the private key and has not been timed out or repudiated.

g. The ability of attackers to subvert the systems used to verify
these signatures.

It goes without saying that none of the attacks described above
are likely to be made if there is a high enough associated cost
(e.g. using a brute force keysearch) or if it carries sufficient
risk of the attacker being detected to make the likely benefits
obtained from an attack not worthwhile.

While it is unlikely that any embedded public-key smart-card
based authentication system can be devised which can completely
eliminate any risk of the above weaknesses (or other weaknesses
which might exist but have not been considered) the approach
described above reduces substantially the problems associated
with password or PIN based systems which are currently in general
use. and suffers none of the disadvantages of biometric based
systems.

The widespread adoption of this system is held back:

a. by the absence of agreement on the standards to be adopted,
partly due to rapidly advancing technology and

b. by the effects of legislated obstructions to the export of
encryption technology.

It is considered very likely that both of these difficulties will
be substantially overcome within the next five years or so; for
example very widespread adoption of this technology might require
certain price points to be reached e.g. 1 US Dollar for the cards
and 20 US Dollars for the card read/write interfaces. Some
reliability problems have also been reported with contact based
cards which are thought to have been overcome with contactless
cards.

It is also thought likely that the relative strengths of this
technology, in comparison with currently used methods of
authentication, are sufficiently advantageous that digitally
signed transactions using smart card technology will be in common
use for signing payment transactions and gaining system and
network access by 2005. This technological development is thought
to be a prerequisite for more secure Internet access and mass
acceptance of low cost payment technology described below.


7. The recording of context: was he or she really present ?

For transactions requiring a greater degree of confidence in the
identity of the originator some use is likely of automated
methods involving the recording of context and potentially
involving automated analysis of this supporting information.

In the off-line world the security of most transactions depends
upon the existence of a considerable wealth of potential evidence
being associable with the movements of individuals. This arises
through the general nature of the world in which we live, our
interactions with this world and the ability of human
observation, automatic recordings and forensic and other
investigations to record, analyse and make sense of this
evidence.

For example, it may be easy to steal or forge a credit card and
copy magnetic stripe data on conventional cards, but using this
token, however insecure its technical basis, to carry out
fraudulent transactions involves a greater risk. For example,
ordering goods by credit card requires delivery of these goods
to the address recorded against the credit card or the presence
of the individual at the ordering point. Ordering theatre tickets
involving credit card payment involves the user of these tickets
being in a known place at a known time after the transaction is
initiated. Buying fuel or clothes using plastic is likely to
result in the video recording of the person obtaining these items
on a shop security system.

When a major crime such as murder is investigated the detectives
might collect, organise and sift through tens of thousands of
minor details and observations associated with the movements of
anyone who was in the area or might be connected in any other
way, however peripherally, to the crime.

Use of the Internet by a criminal can make collection of this
kind of supplementary or background evidence by law enforcers
more difficult, because an electronically mediated action can
originate from anywhere and associated computer records, such as
exist, might in some cases be deliberately falsified, corrupted
or deleted.

In situations where the risk of crime exists or is high, however,
contextual information associated with particular electronic
transactions can be automatically recorded and secured from
further tampering e.g. through use of write-only media which is
subsequently taken off line and secured. This contextual
information is likely to include live recordings of question and
answer interactive voice and video sessions etc. in order to
record associated trails of evidence which might be available for
verifying the identity of parties to certain Internet-based
transactions if and when this needs to be investigated in the
event of disputes. These records might also be associated with
supporting information collected using digital signatures,
biometric scans and PINs or passwords etc.

For an example of how this might work, ATM cash machines are now
routinely being equipped with video recording equipment. A
further defence of this kind might result in a series of more
sophisticated attacks, with more advanced countermeasures against
these attacks, e.g.:

a. An attacker might obscure the video camera. Detection of such
an event might result in cards inserted being retained by the ATM
with no payout.

b. An attacker might wear a mask to blank their face either
partially or entirely. A pattern recognition program might be
able to detect the absence of a full human face and sound an
alarm in the shopping centre security office or local police
station etc. This would require less sophisticated pattern
analysis and recognition than would be needed positively to
identify a known face.

c. An attacker who was aware of this might wear a mask to look
like another person who might be recognised, hoping that
automated real-time analysis and recognition activities are not
adequate to recognise specific faces prior to the payment being
made, such that later analysis of the recording might lead the
authorities to other suspects.

d. An attacker who believes that the pattern recognition
capabilities of the ATM system or services to which the ATM was
connected is capable of recognising the account holder might wear
a mask or makeup etc. to make their face resemble that of the
person from whom they have stolen a card and PIN.

The fact that attack d. is conceivable does not make having a
video camera in an ATM machine any less worthwhile, as it greatly
raises the technical difficulty and cost to the attacker, perhaps
to the point where such attacks might begin to cost more than any
advantage which can be gained.

It should also be noted that methods like this, of obtaining
context information associated with the kinds of transaction
increasingly likely to take place on-line over the Internet, do
not require that such context be recorded with every single
transaction. The fact that a proportion of ATM machines are
equipped with video recording facilities and automated facial
recognition might act as a sufficient deterrent to ATM user
impersonation even if this proportion is small, so long as
someone considering this impersonation does not know and has no
method of detecting which ATM machines are so equipped.


8. Using accounted payments as a security guarantor

The introduction of ubiquitous and low-cost transaction
technology for account-based payments based on the author's MRS
proposal (3) will make it feasible for those providing on-line
services to require a very small account-based financial
transaction as an entry protocol before allowing access.

The requirement for an account-based financial transaction before
another kind of on-line transaction can be facilitated helps to
guarantee the identity of the initiator, because when money is
at stake people will behave carefully. This is perhaps the best
guarantee against the security lapses which typically occur
through users or operators feeling no personal degree of
responsibility and accountability for the integrity and security
of the system they are using or operating. The existence of this
protocol between an ISP and their user will give other ISPs the
degree of confidence needed to handle this user's traffic,
knowing that the home ISP of this user can identify them through
an audit trail.

For an example of how payments improve on-line security, in my
own university work environment there was a noticeable reduction
in the frequency of student users forgetting their passwords,
following the introduction of a system which ensured that a
password could only be used to gain access to one login session
at a time and that a small fee is charged for the reissue of a
password.

There has been some speculation in the past (6) that the dominant
method of Internet-mediated payments will in future involve
anonymous transactions, where it is proposed that the payee might
know that payment has been cleared but has no indication of the
identity of the payer.

It has further been proposed that such systems might enable
payments to be aggregated and executed sufficiently anonymously
to enable the open on-line finance of assassination services.
These would in theory be paid for by multiple anonymous sponsors
and provided for by anonymous contractors known on the net
through the combination of a unique encryption key, associated
alias and reputation. It is understood also that the
cryptographic analysis of such payment services is credible to
those with sufficient expertise to carry this analysis out. If
true, however, this does not change anything if the analysis of
other bases of the payment system involved in the perpetration
of such crimes demonstrates one or more of these bases to be
flawed.

A wider analysis of such payment systems imply these not to be
financially credible because their existence could never be
politically viable. For a payment in any currency to be accepted
the person accepting it has to believe that others will exchange
goods and services for it. How can we know that the money we
accept is not forged ? Whatever type of currency is involved this
question is answered by reference to some authority; there will
inevitably be some party, institution or group acting as its
guarantor, by being willing to exchange it either for something
else of value or some other accepted form of money. However, no-
one will be willing to undertake this role if acceptance of a
form of money implicates one as an accessory to a serious crime
financed using this payment system and which this payment system
made possible.

Even if the guarantors of transactions involving a payment system
were to locate themselves in countries with different laws, no
country can afford to be associated with the sponsorship or
underwriting of assassination and terrorism. Locating a currency
guarantee operation offshore might escape the laws of a country
determined to protect the lives of its citizens but, as the
recent history of responses to state-supported terrorism
demonstrates, this will not protect its operators or operations
from aerial bombardment and other forms of military attack.

Within the current financial system the only payments which do
not leave an audit trail appear to involve either small amounts
of physical notes and coins or those concerned with tax evasion
and money laundering. For this reason all banks are nowadays
expected to report all cash transactions above certain limits.
As no on-line technology associated with anonymous digital forms
of cash is likely to be able to prevent aggregation of payments
for criminal purposes this also suggests that Internet-based
digital-cash systems are unlikely ever to be fully anonymous to
the extent describe above, even if they are allowed to provide
limited degrees of privacy in practice.

Financial institutions know that the reputation of their money
depends upon the integrity of their organisation and operations.
For this reason the initiative to create an Internet-based
anonymous digital-cash payment system which would enable on-line
pornography providers to provide services paid for without risk
of customer credit-card payment repudiation failed when the
backer pulled out (6).

The analysis of transaction security in relation to associated
participant contextual information further supports the
conclusion that Internet payments must inevitably result in some
kind of an audit trail. If we accept this to be the case the
question of how Internet payments will be handled in future
depends upon the cost-effectiveness and practicality of the
payment system design.

The main criticism of conventionally-cleared account-based
payments is that the cost of clearing these makes their use for
small payments impractical. The LETSystem (2) provides a payment
system design for which the security considerations of on-line
transactions differ significantly from those associated with the
direct use of conventional money. This design is compatible with
conventional money in that use of low-cost LETSystem
micropayments using an automated MRS network (3) might be
combined with a conventional currency, in the sense that
LETSystem participants might contract to clear their LETSystem
accounts at regular intervals in exchange for conventional money.


9. The MRS as an Internet-based payments system

For a payment system to become universal it must offer sufficient
advantages over existing methods to be widely adopted. This
payment system will require the following properties:

a. It will need to be sufficiently secure to handle systems which
are linked to conventional money such that someone accepting
payments using this method in exchange for goods and services can
be confident that these payments will be convertible, in time,
into conventional money.

b. Use of it will need to be cheap enough to make its use for
transactions of low value sufficiently attractive. For example,
those providing information or services though web sites are
unable to sell information articles or services for a few pence
or cents or small fractions of such to each of a large number of
customers. Another example might be that some people will want
to charge those sending them electronic mail a small amount of
money before they will accept it in order to raise the cost of
mail delivery for direct marketing operations to something
comparable to the cost of the attention of the person receiving
this information.

c. It will need to be flexible enough in order to be able to
handle payments denominated in a wide variety of conventional,
trade and community currencies, e.g. US Dollars, Saudi Rials,
Coventry UK LETSystem points, air miles, Sainsbury UK supermarket
loyalty points, Comox Valley BC Canada community way credits (7)
etc.

d. It will ultimately need to be scalable enough to be able to
handle hundreds of payments per day for everyone on planet earth
who uses money.

The MRS protocol design (3) allows for all of the above
requirements. MRS security arises through the use of a
conventional double-entry bookkeeping protocol and the
requirement that a separate audit trail record is made of each
transaction, ensuring that every transaction is stored in at
least 3 locations on at least 2 (more typically 3) geographically
separated servers.

This will be supplemented through the requirement for digital
signatures to be associated with transactions as discussed above,
and through the need to store associated contextual information
(e.g. video and audio records) for transactions of over a certain
size. Payments of various sizes directly carried out and
aggregated using LETSystems and later cleared into conventional
money will allow payers a repudiation period (prior to clearance
into conventional money), while the signature and recorded
context will give payees sufficient confidence that payer
repudiation is unlikely and might be legitimately counter-
challenged.

This protocol will be cheap to operate because every routine and
operational aspect of it can be automated, except for operations
concerned with user registration and issue of smart cards. There
might also be some expenses for payees involved in challenging
payment repudiation and some for payers in checking account
statements in order to decide when to repudiate a payment.
However, all of these exceptional costs already arise in the
conventional economy e.g. as might be associated with account
statement vigilance, and occasional cheque cancellation and
civil-court actions to obtain payment refused following provision
of services.

As with the Internet itself the proposed MRS network has no
single point of failure or control. The MRS payment protocol is
flexible enough to handle any kind of accountable currency and
is scalable enough to handle any number of users and any likely
number of transactions.

It achieves this through the use of an Internet DNS-based (1)
naming convention for naming:

a. the registries through which users are registered on the
network,

b. the payment systems which are in use between users and

c. the servers used to handle relevant payments.

This will enable any payment to be made between any 2 users of
any currency or accountable point recording system without naming
or routing ambiguities. Any number of servers might also be
involved in providing access to the accounting operations, audit
trail recording and providing access to copies of public keys
verifiable through being signed by trusted third parties, such
that any of the potentially millions of payment systems within
this network might be able to handle millions of accounts.

The capacity of a payment system, which might be distributed over
very many transaction servers, is likely to be limited by the
capacity of the clustering arrangement for the audit-trail
recording service associated with a particular payment system or
currency. This might be considered as a single point of failure,
but it applies only to a single payment system. This arises
through the need to be able to audit a payment system as a
coherent entity. The MRS network as a whole is designed to handle
very many such systems, any of which could potentially fail
without having a significant effect on the others.

One consequence of this is that payments are likely to be
required between users of different currencies or payment systems
who do not have accounts on the same system. To make the overall
system fully scalable, some of the payment systems used within
this network will therefore be concerned with the automated
clearing of these "foreign exchange" type payments involving
transactions with payers and payees who use accounts involving
different currencies and payment systems.


10. Conclusion

The growing difficulties of securing Internet services against
anonymous and coordinated attacks are likely to result in ISPs
establishing more highly coordinated forms of defence. These will
arise, partly through formal contractual obligations between ISPs
to trace and respond to misuse, and partly through technical
protocols which will enable these contractual obligations to be
met. This is likely to change the relationship between ISPs and
Internet users, with the ISPs requiring stronger authentication
and audit protocols for newer and lower-cost Internet services,
so that ISPs will be able to identify more positively who their
users are. The user-authentication protocols likely to be adopted
will also enable the development of a fully-scalable, low-cost,
secure and ubiquitous Internet-based payments network, capable
of handling any number of payments, currencies and settlement
systems.


11. References

(1) DNS: The Domain Name System
P. Mockapetris
IETF RFC1101
ftp://ftp.isi.edu/in-notes/rfc1101.txt

(2) The LETSystem home page
Michael Linton
http://www.gmlets.u-net.com/

(3) The Multi Registry System
Richard Kay
http://www.driveout.demon.co.uk/mrs2.html

(4) Mail Abuse Prevention System
Paul Vixie
http://maps.vix.com/

(5) Tamper Resistance - a Cautionary Note
Ross Anderson, Markus Kuhn
http://www.cl.cam.ac.uk/users/rja14/tamper.html

(6) A Market Model For Digital Bearer Instrument Underwriting
Robert Hettinga
http://www.philodox.com/modelpaper.html

(7) Community Way Projects
Michael Linton, Ernie Yacub
http://www.ratical.org/communityway/index.html


Picture Attachments:


File: affidp1 (1).jpg 


File: affidp2 (1).jpg 


File: affidp3 (1).jpg