Archive Notice: This page preserves the original work of Todd Boyle on general ledger architecture and distributed accounting (1997-2010), restored 2026 by The Ledgerism Brief. We are not affiliated with any accounting standards body. Original work © Todd Boyle. Visit The Ledgerism Brief for current editorial coverage of CPA practice, audit, M&A quality of earnings, and digital asset accounting.
Signing Devices

Signing Devices

Home

Citizens should own, permanently, digital signing devices that allow us the power to prove our identities absolutely, and to sign and/or encrypt a document such as a ballot or a transaction.

Signing or authentication can never be achieved on somebody else's hardware because obviously, their device might steal your password, snoop your document, etc.

Your signing device must be a monolithic thing with its own screen and pinpad (perhaps, similar to a cellphone.) It must allow the owner to receive, view and respond at least, with answers such as yes/no, 1,2,3,4, etc. The signing keys would be a gazillion bits, and would be encoded in the device in a region of silicon having no wiring or function to be changed from outside. The Screen and the Pinpad would be part of this unchangeable region of silicon.  (Don't let "engineers" tell you it can't be done.)

Thereafter, the signing device might be valuable to anyone who stole it and who knows the code for unlocking it. Of course it might be worthless. Depending on the reputation of the signing key for honoring its contracts, over the past few years.

When citizens can assert their real identity over networks, it will be a different world. The barrier to this sort of device are  not technical, but political and economic: every telecom company, software company, bank, government, etc. are dead set against it since they derive advantage from highly powerful computing and authentication within centralized systems. They derive no such control when the citizen is sovereign over our own computing devices.


The devolution of digital identity from central servers is inevitable. It allows persistent identity and reputation beyond the limits of one's (pathetically small) circle of physical acquaintences. Humanity today would starve, without it slarge corporate enterprises.  Today we are utterly helpless even for small exchanges, without paper and plastic money, and the banking, legal, and LawEnforcement "way" of doing things. We don't get what we deserve. Half or more of our life's economic resources are taken from us without accountability. The percentage varies--doesn't it! The sum of all citizens is zero, counting winners and losers.

I've come to conclude there can never be adequate security on user-programmable PCs or hand-helds.  It is impossible to use a computer to sign checks for example, if any hacker can cruise in, and steal your signature apparatus.

Software, hardware and network providers have such an overwhelming conflict of interest, I believe that identity as well as secure communications will have to come from a device *owned by the user*, probably including at least a PIN pad and screen within the trusted device.

There are obviously, some barriers to reform of today's identity and authentication paradigm. I'm just going to recite three obvious things (you can skip:)

1. Some of today's leading companies in financial services, software, telecommunications and media will be harmed financially by any devolution of authentication and reputation out of their control.

2. The power of government will also be affected i.e. some effects on the ability to collect taxes, and surveil communications would result if the freedoms we have in real space are allowed over distances. e.g. the natural ability to exchange currency or things of value, or to have private conversations.

3. Certain actors in those sectors, work actively to undermine privacy and security over networks. They fill the media with disinformation about hackers, stolen money, drugs, laundering, terrorists, etc. to protect the existing banking system, and actively undermine the usefulness of networks, fill them with SPAM and undermine the security and sovereignty of the user in many computing, network and radio hardware components.

Users will probably learn easily enough, that such a device contains not only a mere digital ID, but that it allows them to accumulate a reputation in the eyes of other people and institutions which is quite valuable, financially. As any valuable thing, they will positively safeguard it.

Accordingly, what is missing is the intellectual work of developing P2P reputation frameworks, in coordination with design of the handheld devices. The semiconductor industry will certainly produce the thing if there's a market.   A chicken and egg problem, compounded by an extreme disruption and cannibalization of other, larger markets.

The basic use case is sending a screenful of data (i.e. a contract) into the screen of the device for signature, as described in the MeT Peer to peer scenarios (ignore the telco "operator" scenarios.) http://mobiletransaction.org/documents.html The consortium spent megabucks, on UI standards for use of the screen on the TD so that the user would recognize the "Trusted Device" mode when it was presented by different manufacturers.

If PCs, phones, palms etc. are ever to be secure their content must be flowed thru a VPN or something, controlled by the user. How this is ever going to happen is beyond my expertise. I would like to see the handheld trusted device have two ports: LAN and WAN, for signing, encryption etc. and this has to be fairly idiot proof. As with the TD, the private keys would be created and managed in a security element and private keys would never leave the handheld device... http://www.ledgerism.net/hippocrit1.gif

Again, the software for this has largely been completed in several different standards communities, for example
http://www.webfunds.org  which is completely stable and in production, and being maintained and improved to include
an encrypted Instant Messaging client. 
http://www.systemics.com  
http://www.xml-x.org  
and
http://mobiletransaction.org/documents.html  
and
http://www.ledgerism.net/IETFaccounting.htm 

Work has been done establishing the human procedures for this,
by numerous different groups of people, not only these:
http://www.ledgerism.net/dbcTrustModel.htm 
http://www.ledgerism.net/SignedPnotes.htm   etc.

Again, I don't know what the end solution will be but it won't be some
clever new software for the PC. It will be built into devices and it
will be preceded by a very big discussion about reputation frameworks,
and a formal architecture discussion including UML for software and
hardware.

None of those has begun yet,

Todd


Here is how it might work in an ARAP cloud, when fully mature,
with robot settlement routers, "between your phone and mine:"

At a Garage Sale:

He says, "ok I'll buy it." Turns on his Studly brand, signing device,
and and enters his 5-digit PIN code. BZZT He gets a little
nervous. If he keys it wrong 2 more times, his device will
erase its keys and certificates. He gets it right.

He enters Local Currency LC$900 in his Studly. Points at the
product and snaps a .jpg picture, and presses SIGN.
(creating a legally binding, digitally signed promise to
pay. Perhaps, including the URI of his last-resort settlement provider
usu. a bank)

She points her hippocrit at his device and scoops up the
promissory note. in 35 milliseconds it goes out over the
arapcloud, lookin for a home... 6 seconds later her SMS
beeps ...--... A digitally signed receipt from her hairdresser
thanking her for her payment of LC$900 and her new balance
has been reduced to 32,100.

At the same second, his Studly beeps.. a note from his
employer, that cc900 has been deducted from this week's
paycheck, requesting signature to release (since he is a
belts and suspenders type of guy.. he setup his deducts
for immed confirm. every time.... )

No bank. No server. No middleman. Just an open marketplace
of settlement routers, mostly robots, mostly free, operated by
all of us.

Todd   ARAP CLOUD
Todd Boyle 9745-128th Ave NE Kirkland WA

See also http://ledgerism.net/STR.htm and
http://ledgerism.net/reputation.htm


 
somebody said,
"Todd,
This sounds like the ultimate Big Brother ID card that I thought you were so passionately against!!"
Settlement of B2B eCommerce Processes
by Todd Boyle on Jan 2, 2003
An ID card is a useless piece of trash if the card-reading device is not secure.
- The screen must be secure from snoops, or intruders who can change what the user sees.
- The input controls must be secure, obviously, or an intruder can steal your password or PIN, or insert fake keypresses
- and obviously the cpu, storage, network stack etc. has to be secure..

The reason there are billions of credit cards and X-millions of smart cards is because they are useful for centralized, hub-and-spoke, book-entry banking without any possibility of becoming useful between individuals.

With such awful security problems, card technology cannot be useful for any new, competing authentication or transaction execution models. Visa/MC can force those losses back onto the population -a kind of insurance operation, risk spreading -and Visa/MC can depend on the whole framework of banking and law enforcement. They gradually modernize, and lawmakers gradually tighten protections for them.

But no competing authentication or settlement solution would have that advantage, so it will have to rely on diside's

I tried to describe this in http://www.ledgerism.net/devices.htm and apologize for my crummy writing style.