W3C home > Mailing lists > Public > public-interledger@w3.org > September 2016

Re: ILP - a critical analysis

From: Evan Schwartz <evan@ripple.com>
Date: Mon, 19 Sep 2016 16:57:51 +0100
Message-ID: <CAONA2jUsGQzgLpmR_oRs4j5yxjFGe1AEKp8+rModGzkokVThGQ@mail.gmail.com>
To: Ken Griffith <kengriffith@gmail.com>
Cc: Interledger Community Group <public-interledger@w3.org>
Hi Ken,

Good questions.

I find it curious that the language used in the ILP document uses financial
> terms in different ways than they are normally used, "escrow" for example.
> And it invents new terms like "connector" in the place of what is
> historically called a "clearinghouse".


Connector refers to a category that includes but is not limited to
clearinghouses. Other examples of connectors are bilateral credit
relationships, market makers, and FX exchanges.

We've started using the word "hold" instead of "escrow", because it more
accurately describes the behavior.

 I do not think the multi-step escrow process actually makes it more
> secure.  Correct me if I am wrong, but a malicious connector could simply
> agree to a transfer and then fail to execute it, or reverse it after
> execution.


Multi-step escrow *does* make it more secure. The sender puts funds on hold
with *their ledger*, which will only be released if the connector presents
cryptographic proof *from the recipient* that the recipient has been paid.

A connector that said they could do the transfer but then didn't forward
the payment would not be able to deliver the proof and the funds would be
returned to the sender. This means a malicious connector could cause a
payment to be returned, but they cannot steal the money -- a very big
difference! We can easily retry payments that are returned, and we can
avoid connectors that consistently fail to complete the payments.

Connectors cannot reverse transfers once they have been put on hold.
Ledgers will keep the funds on hold until either the condition fulfillment
is submitted or the timeout is reached. If you have more questions about
this, please ask because this is a very important aspect of Interledger to
understand.

Introducing a new role called a notary, where there is one notary for each
> part of the transaction to verify the digital signature, adds another
> degree of complexity, without really improving security, because a "notary"
> can also be malicious and in collusion with a connector.


Atomic mode relies on being able to trust the notaries. In practice you
would either use a highly trusted and impartial 3rd party (the connector is
not impartial because they are party to the transaction) or a consensus
group involving multiple semi-trusted entities. If you use a consensus
group, you are relying on the increased difficulty of having many of the
notaries colluding together, so you obviously have to be smart about what
group you pick. Atomic mode does add more complexity, which is why it is no
longer part of the core ILP, though it can be used between a group of
connectors to reduce risk amongst themselves.

What I see missing in ILP is a way of incorporating the contract of the
> ledger as well as the inter-ledger rules into the payment, as is done by
> systems that use Ricardian contracts, which are open source and public
> domain and can be used by anybody.


A major design principle of ILP is to specify as little as possible about
how each ledger should work, so as to enable support for a wide variety of
ledgers. The security model of ILP ensures that you are not exposed to risk
from participants in a payment *other than your ledger*. You can choose
whatever ledger you like, whether it's a blockchain or not, so we assume
that for whatever reasons you do trust your ledger (but no one else).

Second, we are missing the ability to include an arbitration clause, so
> that if any of the parties in the chain of connectors default, cheat, lie
> or fail to execute, the dispute can be efficiently resolved by human
> judgement in a jurisdiction that all parties agree to.

 ...And here we see the third missing part of ILP. There needs to be a
> standard way of identifying an account holder who has agreed to the rules,
> and therefore can be subjected to arbitration.


Your last couple of points focus on the fact that there is no arbitration
built into ILP and little to nothing in the way of "scheme rules". This is
correct and intentional. Let me explain some of the logic behind this.

Interledger is designed to be used in a layered protocol architecture,
similar to how the Internet was designed. Getting people to agree on things
is difficult so you want to try to minimize what everyone needs to agree
upon. Interledger does not include identity information or dispute
resolution because these vary greatly by use case, jurisdiction, ledger
type, and a number of other factors. If we want a truly neutral
inter-ledger payment protocol, it must be agnostic to these details. This
also means that on the Interledger layer, payments must be treated as final
and irreversible, because not all payment systems support the behavior you
would need to implement reversals (see below on how you would implement
reversals at a higher level).

In most cases you would probably use Interledger within a higher-level
scheme. A scheme for retail payments would likely include sender and
receiver identity information (and a standard for how that is expressed and
rules around what is required). The scheme might also include clauses
around arbitration and payment reversals. Reversals would be handled as new
interledger payments going from the receiver to the sender, and the scheme
rules would determine when these are required/supported.

Now, why put all these details into a higher level scheme? What I just
described was what you need for retail payments. Large bank-to-bank
transfers will require different information, in a different data format.
Micropayments, where privacy becomes a bigger issue (because you don't want
to tell someone who you are just to send them $0.001), would likely entail
much less information. By separating the concerns, we can make vastly
different payment systems fundamentally interoperable, and then work later
on coming up with the use-case-specific higher level protocols needed to
exchange all the other details needed.

What Interledger provides is:

   - a method for securing multi-hop payments such that the sender gets
   cryptographic proof the recipient has been paid or their money back
   - a model for understanding interledger payments as a series of ledgers
   and connectors, which can be clearinghouses, bilateral credit
   relationships, market makers, or exchanges
   - a standard for a ledger-independent address format and packet data
   format that enables connectors to route payments
   - a framework for designing higher level use-case-specific protocols

Best,
Evan


On Mon, Sep 19, 2016 at 3:01 PM, Ken Griffith <kengriffith@gmail.com> wrote:

> I find it curious that the language used in the ILP document uses
> financial terms in different ways than they are normally used, "escrow" for
> example.  And it invents new terms like "connector" in the place of what is
> historically called a "clearinghouse".
>
> I do not think the multi-step escrow process actually makes it more
> secure.  Correct me if I am wrong, but a malicious connector could simply
> agree to a transfer and then fail to execute it, or reverse it after
> execution.
>
> Introducing a new role called a notary, where there is one notary for each
> part of the transaction to verify the digital signature, adds another
> degree of complexity, without really improving security, because a "notary"
> can also be malicious and in collusion with a connector.
>
> One problem seen with the crypto-currency community in general, of which
> Ripple is typical, is the belief that the need for human trust can be
> replaced with cryptographic trust.
>
> What is missed is that the financial system over centuries has developed a
> system of human governance that works most of the time.  This involves the
> use of trustees and auditors, and either courts or arbitration. (Courts
> often do not work efficiently due to corruption, which is what makes
> arbitration more attractive as an inexpensive way of resolving disputes.)
>
> So we see for example, the Bitcoin community rants fanatically about
> eliminating the need for trust, even as more than half of all Bitcoin
> exchanges since 2011 have failed, defaulted or stolen hundreds of millions
> of USD worth of the users funds.  Clearly, Bitcoiners have not solved the
> trust problem, and are not using the governance arrangements that have
> historically been used to mitigate the risk of insider theft.
>
> The public ledger of Bitcoin and succeeding "blockchain" systems was based
> on the idea of "triple entry accounting", which is a way of making the
> public the auditor. (See http://iang.org/papers/triple_entry.html) This
> does not eliminate the need for an auditor, but allows the public to be the
> auditor.  You still need the other parties of classic governance, referred
> to as the "five parties model". (https://bitcoinmagazine.com/a
> rticles/five-parties-model-1393673552)
>
> What I see missing in ILP is a way of incorporating the contract of the
> ledger as well as the inter-ledger rules into the payment, as is done by
> systems that use Ricardian contracts, which are open source and public
> domain and can be used by anybody. (https://en.wikipedia.org/wiki
> /Ricardian_Contract)
>
> Second, we are missing the ability to include an arbitration clause, so
> that if any of the parties in the chain of connectors default, cheat, lie
> or fail to execute, the dispute can be efficiently resolved by human
> judgement in a jurisdiction that all parties agree to.  Ethereum recently
> demonstrated the necessity of this. (http://financialcryptography.
> com/mt/archives/001594.html)
>
> Third, clearinghouses have historically taken the counter-party risk upon
> themselves.  An example would be the Chicago Board of Trade (CBOT) which
> runs the COMEX.  All members of the COMEX contract with CBOT which
> guarantees counter-party risk.  This enables them to safely trade with one
> another, even though they have no way to assess the credit-worthiness of
> the party on the other side of a trade.
>
> CBOT handles the counter-party risk by requiring bonding and certain
> levels of liquidity of the members.
>
> The ILP is attempting to build system of clearinghouses (connectors) that
> uses notaries and cryptography to eliminate counter-party risk.
>
> However, it lacks a dispute-resolution mechanism.
>
> In order to settle a dispute, the court or arbitrator must usually know
> who the parties are.  And here we see the third missing part of ILP. There
> needs to be a standard way of identifying an account holder who has agreed
> to the rules, and therefore can be subjected to arbitration.
>
> I think that if these deficiencies were addressed, ILP could grow into a
> truly international standard.  But, as I see it now, Ripple are building a
> standard that works with Ripple.
>
> But, will it really work in the real world of lawyers and contracts and
> government regulators who require financial institutions to know the
> parties on both sides of every transaction?
>
> All it will take to expose the weaknesses in ILP is an incident like DAO.
> If you create a number of silos of financial value that are connected by a
> series of rules like ILP or Ethereum, there are many parties who will
> attempt to use the rules to take as much value for themselves as they can
> get.  DAO demonstrated this, yet again.
>
> That is even before you entertain the problem of people who break the
> rules, like Mt. Gox and those who use malware to steal users' keys.
>
> Ripple's system can work between a closed group of banks, because it is a
> limited entry pool of parties who have to sign a contract with each other
> to enter and use it.  An open system as ILP proposes is a very different
> ball game.  These deficiencies need to be addressed before ILP can actually
> work in the real world.
>
> Ken Griffith
>
> On 9/19/2016 2:24 PM, Melvin Carvalho wrote:
>
>>
>>
>> On 19 September 2016 at 13:04, Stefan Thomas <stefan@ripple.com
>> <mailto:stefan@ripple.com>> wrote:
>>
>>     Unfortunately, I don't have any details to share on Ripple's
>>     commercial deals. What I can say is that all of our solutions are
>>     going to be ILP-capable, because we believe that ILP has by far the
>>     best chance chance of being the protocol that powers the Internet of
>>     Value. It is also the simplest which tends to be a big factor in
>>     standards adoption. We're not opposed to supporting other protocols
>>     in addition to ILP if there is demand from our customers.
>>
>>
>> Agree with most of this, however im not convinced that ILP is the
>> simplest protocol.  Webcredits is IMHO simpler. I do however like the
>> move to modularize it into more simple pieces.  But it might come across
>> better if if you continued your narrative along the lines of "we believe
>> that ... "
>>
>> I have slight reservations about the scalability of ILP (e.g. can you
>> send to and from an email address, a mobile phone, a web page, an IM
>> account, irc etc.).  What I really love about it is the concept of
>> connectors.  As you point out much more will be clear when real ILP
>> payments are live, which Im confident is an achievable goal.
>>
>>
>>
>>     Speaking of adoption - our next goal is to build all the tools
>>     needed for a real-world internetwork involving the most popular
>>     crypto-currencies. Seeing is believing - we want as many people as
>>     possible to experience real ILP payments. The initial intended use
>>     case will be micro-payments. There is also still a lot of work to be
>>     done on the reference implementation and on porting ILP to other
>>     languages.
>>
>>     On Fri, Sep 16, 2016 at 6:13 PM, Christopher Bartley
>>     <morelazers@gmail.com <mailto:morelazers@gmail.com>> wrote:
>>
>>         Sorry to chime in out of place but I think that this post by a
>>         Ripple employee may help to clarify
>>         (http://www.xrpchat.com/topic/1991-a-big-update/?do=findComm
>> ent&comment=18189
>>         <http://www.xrpchat.com/topic/1991-a-big-update/?do=findComm
>> ent&comment=18189>)
>>         My understanding is that ILP among the banks is not RCL-enabled
>>         and serves as an internal subledger for each bank to escrow
>>         funds prior to transfer. Because the transactions are not
>>         submitted to RCL they are private and do not appear on the
>>         public ledger. My understanding is that the publicly announced
>>         banks are already using it to transfer fiat or will be will be
>>         very soon. Deploying ILP privately will allow them to integrate
>>         with other private networks or public ledgers should they chose,
>>         but for now it's effectively a private and permissioned ledger
>>         using ILP within network.
>>
>>         I'd still appreciate a response from Stephan and Adrian,
>>         especially if I'm way off here.
>>
>>         Best,
>>
>>         Chris
>>
>>         Sent from Das Fone
>>
>>
>>         On Sep 16, 2016 10:01 AM, "Roger Bass" <roger@traxiant.com
>>         <mailto:roger@traxiant.com>> wrote:
>>
>>             Stefan or Adrian:
>>
>>             are you able to say publicly which banks will be moving
>>             transactions over ILP come October 1?
>>
>>             Presumably, this means that a version of Ripple Connect with
>>             ILP as a "protocol switch" is already shipped and deployed
>>             to those banks, right?
>>
>>             Best,
>>             Roger
>>
>>
>>             On Thu, Sep 15, 2016 at 8:21 PM, Daniel Bateman
>>             <7daniel77@gmail.com <mailto:7daniel77@gmail.com>> wrote:
>>
>>                 Thank you for this clarification Stefan.
>>
>>                 Is this information published on the Ripple website
>>                 and/or Ripple wiki? If not, may I ask why not?
>>
>>                 Best,
>>                 Daniel
>>
>>                 On Sep 15, 2016 7:05 PM, "Stefan Thomas"
>>                 <stefan@ripple.com <mailto:stefan@ripple.com>> wrote:
>>
>>                     What the article is referring to is that Ripple's
>>                     bank customers will be moving real money through
>>                     ILP-powered Ripple products starting Oct 1st.
>>
>>                     Note that we were developing ILP internally for some
>>                     time before we decided that it should become open
>>                     standard and released the white paper. For now the
>>                     commercial implementation of ILP inside of Ripple
>>                     products and the open-source work happening in this
>>                     group are pretty separate. We're getting really good
>>                     ideas and feedback from the banks using ILP and that
>>                     feeds back into the community group work. And of
>>                     course the end goal is to have it all interconnect
>>                     some day.
>>
>>                     It'll take quite some time (and a lot of community
>>                     traction) before the banks would even consider
>>                     connecting to a public Interledger. Hence the
>>                     importance of the work this group is doing that's
>>                     unrelated to Ripple. For it to be a true standard
>>                     there has to be lots of activity around it that
>>                     isn't directly tied to us or our customers.
>>
>>                     On Thu, Sep 15, 2016 at 2:22 PM, win than aung
>>                     <winthan@chomeaye.com <mailto:winthan@chomeaye.com>>
>>                     wrote:
>>
>>                         Hi guys,
>>
>>                         I just saw this news
>>                         - http://www.afr.com/technology/
>> nab-westpac-part-of-ripples-new-global-payments-network-20160915-grgz81
>>                         <http://www.afr.com/technology
>> /nab-westpac-part-of-ripples-new-global-payments-network-20160915-grgz81>
>>
>>                             Ripple has created Ripple Connect, new
>>                             technology to allow banks to talk to each
>>                             other, and is developing its "interledger
>>                             protocol", which will go live on October 1
>>                             and provide the foundation for banks to
>>                             directly connect their ledgers with each
>>                             other without an intermediary.
>>
>>
>>                         Is that ready to go live on Oct 1? Which ledgers
>>                         are going to try out at live on Oct 1? Gatehub?
>>                         any hints?
>>
>>                         Thanks,
>>                         Winthan
>>
>>
>>
>>
>>
>>
>


-- 
Evan Schwartz | Software Architect | Ripple
[image: ripple.com] <http://ripple.com>
Received on Monday, 19 September 2016 15:58:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 19 September 2016 15:58:42 UTC