Re: [ga] Proof of Identification

[John C Klensin <klensin@mci.net>]

--On Tuesday, December 07, 1999 01:38 -0800 "William X. Walsh"
<william@dso.net> wrote:

> On 07-Dec-99 Harald Tveit Alvestrand wrote:

>> The fee for cashing an US check in a Norwegian bank is around
>> USD 8. I've got no reason to believe the fee in the other
>> direction is smaller.
> 
> You clearly have no experience dealing with commerce from many
> other countries.  And your expense at cashing it isn't the
> expense I was discussing.  It was the expense in some
> countries to even GET a check in US dollars.  Some countries
> have banking laws that make it difficult and/or expensive to
> send currency to foreign countries.  Perhaps if you don't have
> much experience in this are, you should refrain from making
> comment.

My, my...

I'm not sure who you are criticizing, William (Harald or Mark),
but I've got a lot of experience moving foreign checks and money
transfers in and out of US banks (and I tried, once, to deal
with an international wire transfer --in theory, easier than a
check, but probably less useful from an identification
standpoint-- to an account at a check-capable savings and loan--
after a nightmare that lasted many weeks, I opened an account at
a _bank_ with its own international correspondent network)

For those who don't know the details...

* Harald's fee estimate, except for some large commercial
accounts at commercial banks, is quite low for deposits of
foreign-issued checks deposited into US banks.   One generally
can't cash those checks at all (except by creating a liability
against one's existing account), and whether or not they are
denominated in US dollars makes little difference (but might
increase the fees slightly if they are not)

* In most countries, issuing a personal check denominated in a
foreign currency requires an account maintained in that
currency.   That is impossible/illegal in many places and merely
difficult and expensive in others.

* If I needed to send Harald money denominated in his currency,
I would go to my bank, pay them in US dollars (including an
excessive fee for small amounts of money), and have them send
out such a check or a wire transfer.   Harald would  receive
either a bank check or a 'my bank to his bank and account'
transfer, which would get the money to him, but would do almost
nothing for identification purposes.    The situation in most
countries that don't restrict these things is similar:
international transfers in recipient currencies are
bank-to-remote-account, not local-account-to-local-account.
The US is different from many places because we have a lot of
semi-banks floating around: if I dealt with one of them,
Harald's bank would receive an instrument from an institution
whose name I might have never heard: again, he gets the money,
but the authentication value would be zero.  

* Wire transfers are also bank-to-remote-account.   In most
countries where they can be arranged, I can walk into a bank
with (anonymous) cash and have one sent.  The bank will attach a
sender name to the thing, but it is a comment, not
authentication information in most originating countries,
especially for small transfers (e.g., for transfers into the US,
the reporting and documentation rules change when the amount
involved exceeds USD 10000).

* And, as William points out, in some countries, sending money
out, or even converting money into "hard currencies" (or just
external ones) internally is a huge hassle and may be
effectively impossible for private parties and small amounts.

So this is an extremely interesting idea for US-based
participants, but is otherwise naive.

To draw this back to the more general "what do we trust"
question, the example is symptomatic.    Webs of trust works if
the linkages can be established among people who actually know
each other.   The "small world" research (popularly known by the
"six degrees of separation" results) is helpful here, but the
need for not only "knowing" someone but for knowing people with
a good understanding of, and skill at, key management, makes
things considerably more complex.   If the linkages don't exist
and one has to validate the existence of someone one doesn't
know, the only mechanisms that do work are extremely
hierarchical and typically involve governments or entitles that
are government-certified at a fairly high level.   The latter is
really the same as the former, since one relies on the
government to do the certification.   

If we want to (or need to) go down that path, it would
constitute a reasonable question to pose to the GAC: if we have
succeeded in proving that the DNSO (or ICANN) won't work without
being able to authoritatively and uniquely identify individuals,
then we almost certainly need governmental advice about how to
do that.   The problem, of course, is that the traditional
governmental answers are incompatible with the preferences about
privacy that many of us hold.   They also tend to lead in the
direction of strictly-hierarchical X.509 certificates, which
make many of uncomfortable for other reasons.

Hard problem to solve well.   I wish I had easy solutions, but I
don't. and I suspect that easy solutions don't exist.   That
tuns the question into whether there is a less precise and more
sloppy system with which we can live.   And, there, I'd suggest
that web of trust models might work adequately, especially if we
start with the understanding that a few errors of both inclusion
and exclusion are almost inevitable.

      john