Pages:
Author

Topic: tlsnotary - cryptographic proof of fiat transfer for p2p exchanges (Read 42850 times)

staff
Activity: 4256
Merit: 1208
I support freedom of choice
It isn't working currently.
Is there anyone that can run an alternative?
full member
Activity: 202
Merit: 100
@Sylz, I'll need much more context for what you are asking, but the short answer is
you can use tlsnotary-based PageSigner to create a transferable proof of e.g. blockchain.info's webpage showing the payment/transaction.
newbie
Activity: 3
Merit: 0
Hi,

Could tlsnotary be applied to wallets and prove a payment was made? Saw implimantation to SSL, but I think for crypto payment it should be done differently.

Tnx
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
Neat how this project is branching out naturally based on the original concept.
sr. member
Activity: 469
Merit: 253
Browserless pagesigner: https://github.com/tlsnotary/pagesigner-browserless

This allows you to notarize a page from the command line, enabling automation. This version was created in response to someone who's creating an oracle for real world data; with this, they can use pagesigner to query an API (with their credentials) and generate a proof of data recorded by an authoritative website.

See the README for usage notes.

sr. member
Activity: 469
Merit: 253
From a discussion about a particular use case on IRC (API access), I feel like it's worth laying out the tradeoffs between three technologies:
(Edit: this table was not well designed: a 'yes' means 'using this feature/technology'. So if there are two 'yes'es on one row, it means combining those technologies together).

tlsnotarywebsite's digital signature(amazon aws) oracleProvides...
noyesnoNon-repudiable data (the webserver signs the webpage). The webserver chooses what to sign. Rarely used, controlled by webserver.
nonoyesProof that the oracle ran the code that's claimed
yesnonoProof to *one* party that the webpage is genuine
yesnoyesNon-repudiable proof if the oracle signs the hash of the page (i.e. like digital signature)

Consider the application: API access. Oracle only looks like a good choice: write the oracle to retrieve the webpage (just ping it with a url, it sends back the result) - note that the oracle could then append its *own* digital signature, to provide the non-repudiability you're looking for. This does, however, require giving the oracle control of the API credentials (which conceivably *could* be OK, but at the very least it means passing it outside your machine). Using the last row of the table (which is what pagesigner uses) is more complex but has the advantage of putting a wall between the credentials needed for access and the oracle. Also having the oracle be the source IP address of https requests could have disadvantages.
sr. member
Activity: 469
Merit: 253
Chrome is now supported (same link as before, short walkthrough for installation provided there; Firefox is a one (ish) click install, but Chrome requires pushing a few buttons in the correct sequence Smiley )
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
https://www.tlsnotary.org/pagesigner.html

PageSigner is a drastic simplification of the user experience of TLSNotary. You can get a file which proves you visited a webpage with one click in Firefox. No need for Python, key management, or delays (it takes a few seconds). You can pass the file to an auditor at any later date and they can verify it. Watch the walkthrough video on the above page and let us know what you think.

There's a lot more to say, but feel free to give it a try and get back to us with any questions.

Sounds like a major milestone. I'll test it out.
sr. member
Activity: 469
Merit: 253
https://www.tlsnotary.org/pagesigner.html

PageSigner is a drastic simplification of the user experience of TLSNotary. You can get a file which proves you visited a webpage with one click in Firefox. No need for Python, key management, or delays (it takes a few seconds). You can pass the file to an auditor at any later date and they can verify it. Watch the walkthrough video on the above page and let us know what you think.

There's a lot more to say, but feel free to give it a try and get back to us with any questions.
sr. member
Activity: 469
Merit: 253
You can try verifying an example audit, see the notes here: https://tlsnotary.org/audits.html

The example given is a file proving a PM I received on reddit from dansmith. You can verify it's authentic in about 10 seconds by running the `python tlsnotary-auditor.py ` in the src/auditee directory of the repo https://github.com/AdamISZ/taas-poc-1-auditee.

Hopefully others will add a few similar .audit files there for experimentation.

A reminder, it needs openssl for the signatures; for Linux/MacOS it'll be there by default, but if you're on Windows you may not have that (this will change at some point, it's just for proof of concept).
sr. member
Activity: 469
Merit: 253
Feel free to read the latest blog post and try out the new version (only proof of concept, but functional):

https://tlsnotary.org/wp/?p=27

Simple explanation: audit a page and get a .audit file. You can give it an auditor later - where 'auditor' means anyone Smiley. It's transferrable (it's as if the server had signed the page with a digital signature).
You perform the audit with a remote 'notary server', which knows basically nothing: there is no login, no credentials, you don't give the notary server either your html or the encrypted version of your html. It sees nothing except the server pubkey. It just provides you with some preliminary random secrets and then signs that you received the completed version of the secrets after you committed to a hash of your encrypted data.

Well, a little more detail in the blog post above.

Note that although there isn't much going on at the main repo https://github.com/tlsnotary/tlsnotary at the moment, there is a lot of work being done in other places.

In a little while I might throw up a couple of .audit files so others can look at them (you can just run the auditor script locally to verify a .audit file's validity).



hero member
Activity: 784
Merit: 1000
We are happy to report that https://bitbargain.co.uk (a fiat<->btc marketplace) told us that they successfully used TLSNotary in an unusual case where bank lost the buyer's payment.

Even though https://bitbargain.co.uk processes ~300 trades per day, twice a year they'll have a situation where there is no way to resolve a disagreement between reputable parties.

Using TLSNotary the seller showed to the BitBargain staff their online bank's statement page (with a cryptographic proof) without revealing their bank's login/password. Good times.

So the buyer proved they had actually made the bank transfer using TLSnotary also?

And seller was able to prove he hadn't received (yet) because bank had lost the payment.

Interesting that a bitcoin-centric system for removing trust has been used to prove legacy banking error ... good work.

AFAIK, the seller provided a proof, then the buyer was advised to press his bank more, who is later found to be the party at fault.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
We are happy to report that https://bitbargain.co.uk (a fiat<->btc marketplace) told us that they successfully used TLSNotary in an unusual case where bank lost the buyer's payment.

Even though https://bitbargain.co.uk processes ~300 trades per day, twice a year they'll have a situation where there is no way to resolve a disagreement between reputable parties.

Using TLSNotary the seller showed to the BitBargain staff their online bank's statement page (with a cryptographic proof) without revealing their bank's login/password. Good times.

So the buyer proved they had actually made the bank transfer using TLSnotary also?

And seller was able to prove he hadn't received (yet) because bank had lost the payment.

Interesting that a bitcoin-centric system for removing trust has been used to prove legacy banking error ... good work.
full member
Activity: 202
Merit: 100
We are happy to report that https://bitbargain.co.uk (a fiat<->btc marketplace) told us that they successfully used TLSNotary in an unusual case where bank lost the buyer's payment.

Even though https://bitbargain.co.uk processes ~300 trades per day, twice a year they'll have a situation where there is no way to resolve a disagreement between reputable parties.

Using TLSNotary the seller showed to the BitBargain staff their online bank's statement page (with a cryptographic proof) without revealing their bank's login/password. Good times.
hero member
Activity: 784
Merit: 1000
This is jaw-dropping!

I successfully self-tested myself on a few websites and I'm especially amazed, because the whole process (or the part that I saw until now) was straight forward and without unexpected behavior or any other obstacles.

Thanks a lot, still, worth it to remind again to log out before you send anything to a real human! Wink
sr. member
Activity: 469
Merit: 253
This is jaw-dropping!

I successfully self-tested myself on a few websites and I'm especially amazed, because the whole process (or the part that I saw until now) was straight forward and without unexpected behavior or any other obstacles.

Good to hear.

As you can see, this thread hasn't been very active recently. You're welcome to post any thoughts/queries etc. here, or you can join us on IRC (freenode) at #tlsnotary-chat, or your can post an issue on github (https://github.com/tlsnotary/tlsnotary), or you can even take a look at the nascent discussion forum https://tlsnotary.org/smf (we're trying to put together a proper website, but it's not done). So I guess that's enough options. Now we just need a few more people like you to test it out Smiley
legendary
Activity: 1106
Merit: 1026
This is jaw-dropping!

I successfully self-tested myself on a few websites and I'm especially amazed, because the whole process (or the part that I saw until now) was straight forward and without unexpected behavior or any other obstacles.
hgt
newbie
Activity: 8
Merit: 0
Thanks for the clarification.
sr. member
Activity: 469
Merit: 253
hgt,
Yes I fully understand what you're saying. I did want to start from the most important basis though - that it's not different from existing audit mechanisms in terms of privacy and permission.

I share the same perspective as you that, given the Bank Secrecy Act, 'structuring' and so on, we live in a world where if those in power decide that they don't want something, it can be declared illegal at any time  - because terrorism, because child porn, whatever, and logic be damned.

But I'm not sure the risk that you highlighted is the most important one to focus on. It's true that having an auditor not know any transaction details is preferable, but we are talking about manual audits here because we cannot automate the interpretation of bank transaction pages for all banks, which means that at the very minimum the auditor *must* know the account number and bank, IF an audit takes place. So currently the situation is : your counterparty *always* knows your bank identity (account number), your auditor knows it only if there is an audit, which will of course be all the rarer because it's impossible to fake the result.

It is very likely that an auditor will need to have significant community reputation to operate. There's nothing intrinsic in this software deciding how auditors get setup - there could be thousands, there could be just one. I personally like the design of having a large pool which gets chosen from in an unpredictable way to minimise collusion/bad actor risk, but this is a matter of considerable debate in groups like TLSNotary, bitsquare, openbazaar etc.

An automated auditor - running on an 'oracle' - is a nice concept, which we've already played around with. But (a) not sure the technology is really ready for it and (b) it would need perfectly predictable parsing of transaction records. Could work with one fixed fiat payment method perhaps (assuming you can set up an oracle!)


Pages:
Jump to: