[bisq-network/proposals] Certification for ownership of a bank account (#23)

Manfred Karrer notifications at github.com
Sat Apr 27 17:14:43 UTC 2019 

@flix

Thanks for your idea regarding the idea about BTC based reputation system.
A few notes:
- A decentralised reputation system is very hard and as far I know none exist beside WoT. So if we work on that we should be aware that we are trying to solve a hard problem. Maybe we can solve it as we have certain conditions in our favor (bank account is a scarce resources, BSQ or BTC payment add costs against sybil atacks,...) but we should not underestimate the complexity and difficulty. It has to be really solid otherwise it just creates false feeling for security and is more damaging as it helps at least once Bisq's liquidity is bigger so more sophisticated scammers ind ways to trick it.   
- The solutions we are aiming should be able to be implemented relatively fast. Resources are limited and other important work like the new trade protocol are in the pipeline as well.
- The Bisq DAO should be considered like the BTC scripting system as very hard to change or extend once deployed. All is possible but cost/risk to benefit ration need to be kept in mind and consensus systems are very complex and dangerous to change.
- We have some tools built into the DAO which can be used to leverage new use cases. Specially bonded reputation and proof of burn. Proof of burn comes with a signature feature so that the owner of the burned BSQ can proof his ownership as well as a hash which can be used to link to any other external data (like account age or account data). Also the bonded reputation contains a hash which can be utilized.  
- Dealing with Fiat is dealing with legacy systems and I am not sure if if pure "crypto magic" is sufficient to handle that. I think the best what we can do is to piggyback on existing infrastructure which does not add new requirements (e.g. using a bank account comes with certain KYC properties which we can utilize without doing KYC) and does not add privacy weaknesses.
- The certificate idea does not reveal private information to anyone beside the trade peer. 
- Using the blockchain has privacy issues regarding chainanalysis. Using any blockchain system will restrict the user that he cannot start over with a new wallet to improve privacy and performance (old wallets with many txs get heavy with SPV mode). 
- We have to be aware that any reputation is based on some sort of identity and sticking to an identity weakens privacy. There are already now some weaknesses which we should get rid of (e.g. signature key is used for account age witness and if you don't want to lose our account age when starting with a new application directory you have to take that over and leak some inforation to your old trade/offer history). When we extend the importance of the account age we make it even harder that users can start over with a completley fresh app without connecting back to the past trade history. Not sure if it is possible at all to avoid that problem if any reputation is involved. using BSQ bonds is probably the only way to avoid those problems but then you have to take care to not leak on the blockchain side (e.g. using BSQ from the old waleet to pay the bond for the new wallet).
- Using the blockchain for up/down-voting has higher costs as using the P2P network. If you consider high future tx fees (10-30 USD) then it add even more problems to that approach.
- We should consider an off-chain trade protocol as the most likely future proof trade protocol and the protection tool should be therefor aligned with that. Using the blockchain would add costs and privacy leaks. 
- Banning a scammer should be considered exceptional (we have that the first time in 3 years basically) and to use a more centralized but more flexible and faster system as the filter tool we use now seems justified. This current filter tool can be ignored by any user if they want to so the potential risk for abuse is limited. Using the DAO with voting would be too slow. If users can start banning, downvoting you end up in new attack scenarios.
- If you add costs for up/down voting you add distortion. There might be users who don't want to pay but who would be very valueable with their feedback. There are new attack scenarios (e.g. you see a marketmaker which competes with your offer and start to downvote him to gain money from trades with your offers at higher spreads).  


>The problem with #79 is that using government certificates is limited to a few countries and at any point they could change the system on us.

Yes I agree the problem with limited regions, but to cover SEPA region is already a a huge gain, its our main market atm.
I don't consider a change of the certificate system a realistic problem. Once governemnent have rolled out something after x years it will stick around for >10 years. It is all standardized cryptography as far I understand (have not looked into details).

> Most importantly it does no require identity verification, which opens up more vulnerabilities.
It stricly need to be considered optional. I don't see much vulnerabilities. As long you are a citizen who is able to open a bank account you should be able to get that certificate. You do not reveal anything to the certificate authority how you will use that certificate in Bisq.

One alternative approach could be to use a part of the security deposit which will be either paid back to the trader or donated to the BSQ donation address in case the peer consider the peer has not fullfilled his trade contract. Can be a scale as well. So that way the peers would rate the other how satisfied they have been. They don't have much motivation to give it to the Bisq donation address as they do not directly benefit - at least not more as to have another satisfied Bisq trader. This payouts could be used then as reputation from peers. But it is important to not consider that as secruity feature but as a tool to indicate good traders who pay fast and don't cause problems. For real scammers it is too easy to game. But I think main concern is that it would leak privay on the blockchain as well would not work with the off chain trade protocol. Just wanted to share - maybe it inspires for another new idea....

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/23#issuecomment-487303858
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190427/e2ec1822/attachment.html>

More information about the bisq-github mailing list