[3697] in WWW Security List Archive
Re: anonymous e-cash
daemon@ATHENA.MIT.EDU (Pierre-Yves Bonnetain)
Wed Dec 4 16:32:29 1996
Date: Wed, 4 Dec 1996 20:11:45 +0100
From: Pierre-Yves Bonnetain <pyb@cadrus.fr>
To: diane.ellison@asu.edu
CC: www-security@ns2.rutgers.edu
In-reply-to: <32A3BD04.5D00@ix.netcom.com> (message from Diane Ellison on Mon,
02 Dec 1996 22:39:16 -0700)
Errors-To: owner-www-security@ns2.rutgers.edu
>
> I work for a bank, and I am doing independent research at ASU.
> I am trying to come up to speed on Web security issues. After
> many long hours of reading definitions etc., I am confused by
> the Internet Payment ads that describe e-cash as "totally anonymous."
>
> QUESTION: How can a sender be totally anonymous to the receiver,
> especially when the receiver needs to return a response? The
> "note" can be disguised with blinding, but how can the sender's
> IP address be disguised?
> --
I will not resume all the messages that were sent on this subject. Indeed,
your server will get the customer's IP address (and may event go as far as
his name on old versions of Netscape/Java, etc.) so anonymity is as limited
as IP addresses. If your customer runs from a UNIX system with an identd
daemon, you may even get his proper (login) name.
But don't forget either that e-cash involves a third party, aka bank or
stg like that. In most situations, what you have is stg like the following :
1 . customer -> server, prepare order (so, you know his IP addr, delivery
address, etc.)
2 . server -> customer, bill-like HTML page with a link to e-cash
payment system
Optional :
3 . customer -> e-bank dealing with your e-cash (well, it's not yet
normalized so there are lots of e-cash around, he needs to
get/buy the proper one)
Non-optional :
4 . you -> e-bank, asking for the money
5 . e-bank -> customer, order validation, bank stuff and the like
6 . e-bank -> you, order is okay, you get your money, you deliver the goods
Regarding the $$, it _is_ anonymous. You never know where the bucks come
from (except they come from the bank, obviously). But you will never get more
information than those your customer gives you.
As a parallel, when you pay with a check, you also give your name and
address (or those of the guy you stole the checks from :-). Same for a
credit card, your name is written on it.
For some e-banks, you do not even know the delivery address (yeah, fun,
indeed). It's a somehow convoluted service, but you sell/give them part of
your stock and they will deal with all the logistics involved in getting your
stuff to the proper place.
That makes my 2 cents (good deal for such a price).
--
-+-+ Pierre-Yves BONNETAIN (aka Pyb)
Consultant Internet/Securite
B & A Consultants - PROXIMA - Rue des Pyrénées
31330 Grenade-Sur-Garonne - FRANCE
Tel : 0 562.793.261 - Fax : 0 561.824.221
