Financial identity is *dangerous*? (was re: Fake companies, real money)

Ian Grigg iang at systemics.com
Mon Nov 1 16:41:33 EST 2004 

Ben,

> Ian Grigg wrote:
>> It should be obvious.  But it's not.  A few billions
>> of investment in smart cards says that it is anything
>> but obvious.
>
> That assumes that the goal of smartcards is to increase security instead
> of to decrease liability.

On whether the goal of smart cards is to reduce
liability:

a)  Not with any systems I was familiar:  the major Dutch
systems were defensive, oriented to filling the space
that was potentially threatened by other parties.  The
trials were goaled to increase security, which they did
not by using smart cards, but by eliminating cash, which
had created an unacceptable risk of serious theft in
unattended petrol stations.  The same happened with UK
phone cards...  I'm unfamiliar with Mondex or the Belgium/
Proton based motives, but their structures indicate that
liability was not a question uppermost on their minds.

b)  Liability reduction cannot be a goal.  If it was, then
one could achieve the goal completely - eliminate liability -
by not doing the project.  Instead, liability and/or
reduction of same is a _limitation_ on the goal of the
system.

c)  Whether liability reduction entered into any smart
card system as a limitation on their goals is a little
uncertain.  I would say no, as all the systems were
early stage in the institutional model;  in which case
there was little or no liability.  Instead, the only
drivers in that vague area would have been future
running costs reduction, which would have included well
considered security models, and partially considered
user support models, to reduce over all costs.  Including
all forms of risks, of course.

d)  Liability reduction generally comes into play when a
system is mature and/or regulatory issues come into play.
That is, liability reduction is something often seen when
the desire is to avoid surprises, and to avoid any costs
cropping up that weren't well built into the costs model.
I.e., the risk models used by credit card operators are
one example, and the customer agreement models (or whatever
they are called) used by CAs are another example of liability
reduction.

e) Perversely, banks practice liability increase as well as
reduction.  In fact, a pure banking model is about the risk
of a loan, and they specialise in measuring and managing
the risk of that loan.  But, as we are talking about payment
systems, and loans are banking, and banking is not payment
systems, that would be a change in business, so out of
scope of the original topic.

f)  And, of course, all institutions will practice liability
increase if they can turn it into a barrier to entry, that
is, cartelise the industry so as to block new entrants.  See
the eMoney directive for the European barrier to entry, which
was effectively coordinated by the Bundesbank on behalf of
the banks, and resulted in the "like a bank, but not a bank,
and as costly as a bank" approach to digital cash.

All of which might or might not hit the target of liability
as you wrote it?

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list