Topic: tlsnotary - cryptographic proof of fiat transfer for p2p exchanges (Read 42802 times)

It isn't working currently.
Is there anyone that can run an alternative?

@Sylz, I'll need much more context for what you are asking, but the short answer is
you can use tlsnotary-based PageSigner to create a transferable proof of e.g. blockchain.info's webpage showing the payment/transaction.

Hi,

Could tlsnotary be applied to wallets and prove a payment was made? Saw implimantation to SSL, but I think for crypto payment it should be done differently.

Tnx

https://github.com/tlsnotary/pagesigner/issues/12

Neat how this project is branching out naturally based on the original concept.

Browserless pagesigner: https://github.com/tlsnotary/pagesigner-browserless

This allows you to notarize a page from the command line, enabling automation. This version was created in response to someone who's creating an oracle for real world data; with this, they can use pagesigner to query an API (with their credentials) and generate a proof of data recorded by an authoritative website.

See the README for usage notes.

From a discussion about a particular use case on IRC (API access), I feel like it's worth laying out the tradeoffs between three technologies:
(Edit: this table was not well designed: a 'yes' means 'using this feature/technology'. So if there are two 'yes'es on one row, it means combining those technologies together).

tlsnotary	website's digital signature	(amazon aws) oracle	Provides...
no	yes	no	Non-repudiable data (the webserver signs the webpage). The webserver chooses what to sign. Rarely used, controlled by webserver.
no	no	yes	Proof that the oracle ran the code that's claimed
yes	no	no	Proof to *one* party that the webpage is genuine
yes	no	yes	Non-repudiable proof if the oracle signs the hash of the page (i.e. like digital signature)

Consider the application: API access. Oracle only looks like a good choice: write the oracle to retrieve the webpage (just ping it with a url, it sends back the result) - note that the oracle could then append its *own* digital signature, to provide the non-repudiability you're looking for. This does, however, require giving the oracle control of the API credentials (which conceivably *could* be OK, but at the very least it means passing it outside your machine). Using the last row of the table (which is what pagesigner uses) is more complex but has the advantage of putting a wall between the credentials needed for access and the oracle. Also having the oracle be the source IP address of https requests could have disadvantages.

Chrome is now supported (same link as before, short walkthrough for installation provided there; Firefox is a one (ish) click install, but Chrome requires pushing a few buttons in the correct sequence )

Sounds like a major milestone. I'll test it out.

https://www.tlsnotary.org/pagesigner.html

PageSigner is a drastic simplification of the user experience of TLSNotary. You can get a file which proves you visited a webpage with one click in Firefox. No need for Python, key management, or delays (it takes a few seconds). You can pass the file to an auditor at any later date and they can verify it. Watch the walkthrough video on the above page and let us know what you think.

There's a lot more to say, but feel free to give it a try and get back to us with any questions.

You can try verifying an example audit, see the notes here: https://tlsnotary.org/audits.html

The example given is a file proving a PM I received on reddit from dansmith. You can verify it's authentic in about 10 seconds by running the `python tlsnotary-auditor.py ` in the src/auditee directory of the repo https://github.com/AdamISZ/taas-poc-1-auditee.

Hopefully others will add a few similar .audit files there for experimentation.

A reminder, it needs openssl for the signatures; for Linux/MacOS it'll be there by default, but if you're on Windows you may not have that (this will change at some point, it's just for proof of concept).

Feel free to read the latest blog post and try out the new version (only proof of concept, but functional):

https://tlsnotary.org/wp/?p=27

Simple explanation: audit a page and get a .audit file. You can give it an auditor later - where 'auditor' means anyone . It's transferrable (it's as if the server had signed the page with a digital signature).
You perform the audit with a remote 'notary server', which knows basically nothing: there is no login, no credentials, you don't give the notary server either your html or the encrypted version of your html. It sees nothing except the server pubkey. It just provides you with some preliminary random secrets and then signs that you received the completed version of the secrets after you committed to a hash of your encrypted data.

Well, a little more detail in the blog post above.

Note that although there isn't much going on at the main repo https://github.com/tlsnotary/tlsnotary at the moment, there is a lot of work being done in other places.

In a little while I might throw up a couple of .audit files so others can look at them (you can just run the auditor script locally to verify a .audit file's validity).

AFAIK, the seller provided a proof, then the buyer was advised to press his bank more, who is later found to be the party at fault.

So the buyer proved they had actually made the bank transfer using TLSnotary also?

And seller was able to prove he hadn't received (yet) because bank had lost the payment.

Interesting that a bitcoin-centric system for removing trust has been used to prove legacy banking error ... good work.

We are happy to report that https://bitbargain.co.uk (a fiat<->btc marketplace) told us that they successfully used TLSNotary in an unusual case where bank lost the buyer's payment.

Even though https://bitbargain.co.uk processes ~300 trades per day, twice a year they'll have a situation where there is no way to resolve a disagreement between reputable parties.

Using TLSNotary the seller showed to the BitBargain staff their online bank's statement page (with a cryptographic proof) without revealing their bank's login/password. Good times.

Thanks a lot, still, worth it to remind again to log out before you send anything to a real human!

Good to hear.

As you can see, this thread hasn't been very active recently. You're welcome to post any thoughts/queries etc. here, or you can join us on IRC (freenode) at #tlsnotary-chat, or your can post an issue on github (https://github.com/tlsnotary/tlsnotary), or you can even take a look at the nascent discussion forum https://tlsnotary.org/smf (we're trying to put together a proper website, but it's not done). So I guess that's enough options. Now we just need a few more people like you to test it out

This is jaw-dropping!

I successfully self-tested myself on a few websites and I'm especially amazed, because the whole process (or the part that I saw until now) was straight forward and without unexpected behavior or any other obstacles.

Thanks for the clarification.

hgt,
Yes I fully understand what you're saying. I did want to start from the most important basis though - that it's not different from existing audit mechanisms in terms of privacy and permission.

I share the same perspective as you that, given the Bank Secrecy Act, 'structuring' and so on, we live in a world where if those in power decide that they don't want something, it can be declared illegal at any time  - because terrorism, because child porn, whatever, and logic be damned.

But I'm not sure the risk that you highlighted is the most important one to focus on. It's true that having an auditor not know any transaction details is preferable, but we are talking about manual audits here because we cannot automate the interpretation of bank transaction pages for all banks, which means that at the very minimum the auditor *must* know the account number and bank, IF an audit takes place. So currently the situation is : your counterparty *always* knows your bank identity (account number), your auditor knows it only if there is an audit, which will of course be all the rarer because it's impossible to fake the result.

It is very likely that an auditor will need to have significant community reputation to operate. There's nothing intrinsic in this software deciding how auditors get setup - there could be thousands, there could be just one. I personally like the design of having a large pool which gets chosen from in an unpredictable way to minimise collusion/bad actor risk, but this is a matter of considerable debate in groups like TLSNotary, bitsquare, openbazaar etc.

An automated auditor - running on an 'oracle' - is a nice concept, which we've already played around with. But (a) not sure the technology is really ready for it and (b) it would need perfectly predictable parsing of transaction records. Could work with one fixed fiat payment method perhaps (assuming you can set up an oracle!)