Excellent.
Thanks!
First thought, how secure is the key generation in this? I'm thinking partly about the generation algorithm (deterministic? random?), but also on what kind of guarantees customers have that you aren't saving all your keys somewhere.
The process involves using both a hardware random generator and a firmware random pool. But most important, the process is a two-party computation where the hardware cannot force a certain key-pair, not generate key-pairs with any probability distribution other than uniform random.
Regarding saving the keys somewhere, there is no problem with saving these keys. Whenever you decide to extract the funds from a Firmcoin, you should also transfer the funds to another Bitcoin address.
Nevertheless, the Firmcoin will wipe the keys from memory and it can prove (yes it can) that the keys have been erased.
The way it is proved is by a method I created that is called "practical compressibility". Basically the device will fill its memory with some incompressible data and then send you a hash of this data in reverse order, proving that there is no free memory left that can hold a private key.
Second thought, you could make these cards even more trust-free by using 2-of-2 transactions, where one key is generated by the card and the other is generated by the customer's own device. Thus, when I receive a card I generate a key by myself and give it to the card and therefore know that you can't steal my funds. If I give the card to someone else as payment he knows I can't steal the funds since I don't have access to the key generated by the card.
Yes, I've already discussed this setting somewhere in the bitcointalk forum (here
https://bitcointalksearch.org/topic/m.2463058)
Is there any clever protection against fooling the card making it think it has funds when it doesn't? The card would have to rely on data from your own device, so how come you can't just create a new key and tell the card it's funded?
First you don't create the key: the Firmcoin creates the key.
To fund the Firmcoin you either give it a block-chain-branch which proves that the funds were transferred to the Firmcoin or you get a certificate from one or more Certificate "authorities" that prove that the address is funded. If many people trust you, you can become your own CA for Firmcoin funds.
Both methods can even coexist, because the Firmcoin remembers the certifications it has.
Edit: All the bolded was answered to satisfaction by simply reading your
FAQ.
So why didn't you write this line BEFORE the questions so didn't have to answered all your questions!! :-)
Only one of my questions remains then. What is the life expectancy of these cards and how durable are they?
I owe you an more technical answer to this question, but there are many usage factors we still don't know.
The product durability is affected by both physical and usage patterns (that affects the number of FLASH/EPROM write cycles).
The physical properties are very good, since there are no holes, nor connectors and all the prints are inside the package.
My rough estimation is that a Firmcoin can last more than 10 years funded and more than 50 years if the Firmcoin is empty or you don't care if the funds are lost afterwards. We could add the Firmcoin a procedure to "refresh" the memory, so if you execute this function every 5 years, you could have the same funds stored for 50 years. But I'm almost sure that the Bitcoin protocol will change in the following 50 years so you will probably need to do something with your wallet and coins (probably change the signing scheme) before the Firmcoin will wear out.
If the Firmcoin is reloaded every day, it will reach the maximum write-cycles in 270 years.
Best regards,
Sergio.