W3C home > Mailing lists > Public > public-interledger@w3.org > September 2016

Re: ILP - a critical analysis

From: Evan Schwartz <evan@ripple.com>
Date: Tue, 20 Sep 2016 15:36:48 +0100
Message-ID: <CAONA2jVG1zYczbyT5bSfjoc1ZwQwgV=r11eNgyg+cENz45PWmg@mail.gmail.com>
To: Jehan Tremback <jehan.tremback@gmail.com>
Cc: Interledger Community Group <public-interledger@w3.org>
I think that's a really good explanation Jehan.

Ken,

The limit order idea is interesting. I'll have to think about it more but
it sounds even more complicated to me to standardize the interactions with
exchanges and to be able to set up a multi-hop limit order based payment.

A forward paying arrangement is no more risky than the reverse order
> payment.  A clearinghouse/connector could still default. But the risk would
> fall entirely on A not one of the counterparties in the middle of the chain.


This is a very big difference! My assumption is that the sender is an
individual like me, who has pretty much no tolerance for risk. I want a
technical guarantee that my money cannot be lost in transit, no matter who
the intermediaries are. In contrast, connectors who are facilitating many
payments back and forth are much more sophisticated actors and are in a
better position to manage and reduce the risk they are exposed to with ILP.
Since ILP isolates the participants from risk like Jehan said, the only
risk you have to manage is if one of the ledgers/banks you are directly
connected to is offline or unresponsive.

Ripple/ILP is proposing/building a network of connectors which are
> basically exchange portals or clearinghouses.


A key thing to understand about ILP connectors is that the sender is
*not* exposed
to risk from any of the intermediary connectors or any of the ledgers aside
from their own. This is why the backwards execution is so crucial. As Jehan
explained, anyone in a payment path can be screwed by their own ledger, and
no one else. This does mean you need to have a trustworthy ledger, but
whether trustworthy is the crypto and hashing power of Bitcoin or the legal
system and deposit insurance with a bank is up to you. Ideally all of these
would be better connected together, such that you could choose the type of
ledger that suits your needs best.

That can be solved with an arbitration contract.  Without such a contract
> to bring the entire payment chain under one dispute resolution framework,
> there cannot be any effective dispute resolution because each party is in a
> different jurisdiction.  This has proven to be the real achilles heel of
> internet payment platforms over the past 20 years. It probably deserves a
> longer conversation in its own right.


This deserves a longer conversation but I will say this much for now. A
major design goal for us is to make Interledger as
open/accessible/neutral/global as the Internet, which to us suggests that
there cannot be a requirement for the participants in a payment to agree on
any trusted party. I think that many of the underlying reasons that one
might try to solve with a global arbitration mechanism could be solved in a
more neutral way through things like insurance on the endpoints (e.g. your
ledger directly provides you insurance against non-delivery of goods or
stolen account credentials).

ILP used to have the requirement that routes be defined at the start of a
> transfer (this is known as source routing), but this is not essential, and
> I believe they are moving to a more flexible model.
>

Correct, we're using non-source routing now.


On Mon, Sep 19, 2016 at 7:33 PM, Jehan Tremback <jehan.tremback@gmail.com>
wrote:

> Whoops, meant to put this on the list:
>
> ---------- Forwarded message ----------
> From: Jehan Tremback <jehan.tremback@gmail.com>
> Date: Mon, Sep 19, 2016 at 8:42 AM
> Subject: Re: ILP - a critical analysis
> To: Ken Griffith <kengriffith@gmail.com>
>
>
> You raise some good points, but I don't think that you understand ILP. I
> don't blame you, as the white paper is very dense and not especially
> concerned with human readability. I didn't understand ILP either, until I
> came to see it as a type of multi hop payment channel.
>
> First of all, ILP works with escrows, in the broad general sense of the
> word. I'm not familiar with the intricacies of the banking system, but
> wikipedia defines escrow as "Escrow generally refers to money held by a
> third-party on behalf of transacting parties".
>
> I'll try to explain ILP's "Universal" mode. "Atomic" mode is the one with
> the notaries. I think that Universal mode is much more fundamental and
> important.
>
>   1   2   3
>  / \ / \ / \
> A   B   C   D
>
> The numbers are ledgers and the letters are connectors. Let's say that A
> wants to send $10 to D.
>
> A places the $10 in escrow with 1, along with the instruction "Release
> this $10 to B, if B shows a signature from D to you and A. If 1 day goes by
> and B has not shown the signature, give the money back to A".
>
> B and C then also place $10 in escrow with 2 and 3 respectively, with
> similar instructions.
>
> Now D is notified that the transfer has been set up. D sends his signature
> to 3, claiming the funds. 3 shows the signature to C, who uses it to claim
> the funds from 2. 2 shows the signature to B, who uses it to claim the
> funds from 1.
>
> In this transaction, every connector only needs to trust the ledgers they
> are directly connected to. Let's look at some failure scenarios.
>
> Let's say that 2 is dishonest. B places the $10 in escrow with 2, but when
> C shows the signature, 2 refuses to release the funds to C. Now C is out
> $10. C shouldn't have trusted 2.
>
> Further down the chain, if B got the signature even though C didn't get
> the funds, B can use it to get the funds from 1. In this scenario, A has
> paid $10 and D has still received $10.
>
> On the other hand, if B doesn't get C's signature, then B can't release
> the funds. The escrow that 1 has for A expires after 1 day, and the money
> is given back to A. In this scenario, D has still received $10, but A has
> not paid $10. 2 has stolen $10 from C, and A has benefitted from this as
> well.
>
> But, in both scenarios, the only people who were affected by 2's failure
> are B and C. ILP insulates every step in the transfer chain from the
> others. Trust connects every link in the chain, without anyone having to
> trust the whole chain.
>
> If you can point out a way in which this mechanism could be subverted, it
> will make headlines, as this is the same mechanism used in many different
> types of multihop payment channel, such as Bitcoin's Lightning network and
> Ethereum's Raiden. Here's a slightly more involved explanation from my
> blog: http://altheamesh.com/blog/universal-payment-channels/.
>
>
> To address some of your other points:
>
> > [...] even as more than half of all Bitcoin exchanges since 2011 have
> failed, defaulted or stolen hundreds of millions of USD worth of the users
> funds.  Clearly, Bitcoiners have not solved the trust problem [...]
>
> Wrong. Bitcoiners have solved the trust problem. If you use Bitcoin as
> intended, with your own wallet and a strong passphrase, it will not be
> stolen. The problem that Bitcoiners have not solved is the usability
> problem, and it's such a pain in the ass to deal with those wallets and
> passphrases that people send their money to be held by a third party
> exchange or wallet, who then steals it.
>
> > Second, we are missing the ability to include an arbitration clause, so
> that if any of the parties in the chain of connectors default, cheat, lie
> or fail to execute, the dispute can be efficiently resolved by human
> judgement in a jurisdiction that all parties agree to.
>
> > In order to settle a dispute, the court or arbitrator must usually know
> who the parties are.  And here we see the third missing part of ILP. There
> needs to be a standard way of identifying an account holder who has agreed
> to the rules, and therefore can be subjected to arbitration.
>
> > But, will it really work in the real world of lawyers and contracts and
> government regulators who require financial institutions to know the
> parties on both sides of every transaction?
>
> These are actually good points, and maybe someone can get to work defining
> a legal framework, or record keeping system or something. But the beauty
> of ILP is that each link in the chain only trusts those that it is directly
> connected to. Because of this, one ILP transfer could cross over several
> jurisdictions and legal systems. This means that it is inappropriate to
> bake any one regulatory regime into the low-level cryptographic ILP
> protocol.
>
> -Jehan
>
> On Mon, Sep 19, 2016 at 7:01 AM, Ken Griffith <kengriffith@gmail.com>
> wrote:
>
>> I find it curious that the language used in the ILP document uses
>> financial terms in different ways than they are normally used, "escrow" for
>> example.  And it invents new terms like "connector" in the place of what is
>> historically called a "clearinghouse".
>>
>> I do not think the multi-step escrow process actually makes it more
>> secure.  Correct me if I am wrong, but a malicious connector could simply
>> agree to a transfer and then fail to execute it, or reverse it after
>> execution.
>>
>> Introducing a new role called a notary, where there is one notary for
>> each part of the transaction to verify the digital signature, adds another
>> degree of complexity, without really improving security, because a "notary"
>> can also be malicious and in collusion with a connector.
>>
>> One problem seen with the crypto-currency community in general, of which
>> Ripple is typical, is the belief that the need for human trust can be
>> replaced with cryptographic trust.
>>
>> What is missed is that the financial system over centuries has developed
>> a system of human governance that works most of the time.  This involves
>> the use of trustees and auditors, and either courts or arbitration. (Courts
>> often do not work efficiently due to corruption, which is what makes
>> arbitration more attractive as an inexpensive way of resolving disputes.)
>>
>> So we see for example, the Bitcoin community rants fanatically about
>> eliminating the need for trust, even as more than half of all Bitcoin
>> exchanges since 2011 have failed, defaulted or stolen hundreds of millions
>> of USD worth of the users funds.  Clearly, Bitcoiners have not solved the
>> trust problem, and are not using the governance arrangements that have
>> historically been used to mitigate the risk of insider theft.
>>
>> The public ledger of Bitcoin and succeeding "blockchain" systems was
>> based on the idea of "triple entry accounting", which is a way of making
>> the public the auditor. (See http://iang.org/papers/triple_entry.html)
>> This does not eliminate the need for an auditor, but allows the public to
>> be the auditor.  You still need the other parties of classic governance,
>> referred to as the "five parties model". (https://bitcoinmagazine.com/a
>> rticles/five-parties-model-1393673552)
>>
>> What I see missing in ILP is a way of incorporating the contract of the
>> ledger as well as the inter-ledger rules into the payment, as is done by
>> systems that use Ricardian contracts, which are open source and public
>> domain and can be used by anybody. (https://en.wikipedia.org/wiki
>> /Ricardian_Contract)
>>
>> Second, we are missing the ability to include an arbitration clause, so
>> that if any of the parties in the chain of connectors default, cheat, lie
>> or fail to execute, the dispute can be efficiently resolved by human
>> judgement in a jurisdiction that all parties agree to.  Ethereum recently
>> demonstrated the necessity of this. (http://financialcryptography.
>> com/mt/archives/001594.html)
>>
>> Third, clearinghouses have historically taken the counter-party risk upon
>> themselves.  An example would be the Chicago Board of Trade (CBOT) which
>> runs the COMEX.  All members of the COMEX contract with CBOT which
>> guarantees counter-party risk.  This enables them to safely trade with one
>> another, even though they have no way to assess the credit-worthiness of
>> the party on the other side of a trade.
>>
>> CBOT handles the counter-party risk by requiring bonding and certain
>> levels of liquidity of the members.
>>
>> The ILP is attempting to build system of clearinghouses (connectors) that
>> uses notaries and cryptography to eliminate counter-party risk.
>>
>> However, it lacks a dispute-resolution mechanism.
>>
>> In order to settle a dispute, the court or arbitrator must usually know
>> who the parties are.  And here we see the third missing part of ILP. There
>> needs to be a standard way of identifying an account holder who has agreed
>> to the rules, and therefore can be subjected to arbitration.
>>
>> I think that if these deficiencies were addressed, ILP could grow into a
>> truly international standard.  But, as I see it now, Ripple are building a
>> standard that works with Ripple.
>>
>> But, will it really work in the real world of lawyers and contracts and
>> government regulators who require financial institutions to know the
>> parties on both sides of every transaction?
>>
>> All it will take to expose the weaknesses in ILP is an incident like
>> DAO.  If you create a number of silos of financial value that are connected
>> by a series of rules like ILP or Ethereum, there are many parties who will
>> attempt to use the rules to take as much value for themselves as they can
>> get.  DAO demonstrated this, yet again.
>>
>> That is even before you entertain the problem of people who break the
>> rules, like Mt. Gox and those who use malware to steal users' keys.
>>
>> Ripple's system can work between a closed group of banks, because it is a
>> limited entry pool of parties who have to sign a contract with each other
>> to enter and use it.  An open system as ILP proposes is a very different
>> ball game.  These deficiencies need to be addressed before ILP can actually
>> work in the real world.
>>
>> Ken Griffith
>>
>> On 9/19/2016 2:24 PM, Melvin Carvalho wrote:
>>
>>>
>>>
>>> On 19 September 2016 at 13:04, Stefan Thomas <stefan@ripple.com
>>> <mailto:stefan@ripple.com>> wrote:
>>>
>>>     Unfortunately, I don't have any details to share on Ripple's
>>>     commercial deals. What I can say is that all of our solutions are
>>>     going to be ILP-capable, because we believe that ILP has by far the
>>>     best chance chance of being the protocol that powers the Internet of
>>>     Value. It is also the simplest which tends to be a big factor in
>>>     standards adoption. We're not opposed to supporting other protocols
>>>     in addition to ILP if there is demand from our customers.
>>>
>>>
>>> Agree with most of this, however im not convinced that ILP is the
>>> simplest protocol.  Webcredits is IMHO simpler. I do however like the
>>> move to modularize it into more simple pieces.  But it might come across
>>> better if if you continued your narrative along the lines of "we believe
>>> that ... "
>>>
>>> I have slight reservations about the scalability of ILP (e.g. can you
>>> send to and from an email address, a mobile phone, a web page, an IM
>>> account, irc etc.).  What I really love about it is the concept of
>>> connectors.  As you point out much more will be clear when real ILP
>>> payments are live, which Im confident is an achievable goal.
>>>
>>>
>>>
>>>     Speaking of adoption - our next goal is to build all the tools
>>>     needed for a real-world internetwork involving the most popular
>>>     crypto-currencies. Seeing is believing - we want as many people as
>>>     possible to experience real ILP payments. The initial intended use
>>>     case will be micro-payments. There is also still a lot of work to be
>>>     done on the reference implementation and on porting ILP to other
>>>     languages.
>>>
>>>     On Fri, Sep 16, 2016 at 6:13 PM, Christopher Bartley
>>>     <morelazers@gmail.com <mailto:morelazers@gmail.com>> wrote:
>>>
>>>         Sorry to chime in out of place but I think that this post by a
>>>         Ripple employee may help to clarify
>>>         (http://www.xrpchat.com/topic/1991-a-big-update/?do=findComm
>>> ent&comment=18189
>>>         <http://www.xrpchat.com/topic/1991-a-big-update/?do=findComm
>>> ent&comment=18189>)
>>>         My understanding is that ILP among the banks is not RCL-enabled
>>>         and serves as an internal subledger for each bank to escrow
>>>         funds prior to transfer. Because the transactions are not
>>>         submitted to RCL they are private and do not appear on the
>>>         public ledger. My understanding is that the publicly announced
>>>         banks are already using it to transfer fiat or will be will be
>>>         very soon. Deploying ILP privately will allow them to integrate
>>>         with other private networks or public ledgers should they chose,
>>>         but for now it's effectively a private and permissioned ledger
>>>         using ILP within network.
>>>
>>>         I'd still appreciate a response from Stephan and Adrian,
>>>         especially if I'm way off here.
>>>
>>>         Best,
>>>
>>>         Chris
>>>
>>>         Sent from Das Fone
>>>
>>>
>>>         On Sep 16, 2016 10:01 AM, "Roger Bass" <roger@traxiant.com
>>>         <mailto:roger@traxiant.com>> wrote:
>>>
>>>             Stefan or Adrian:
>>>
>>>             are you able to say publicly which banks will be moving
>>>             transactions over ILP come October 1?
>>>
>>>             Presumably, this means that a version of Ripple Connect with
>>>             ILP as a "protocol switch" is already shipped and deployed
>>>             to those banks, right?
>>>
>>>             Best,
>>>             Roger
>>>
>>>
>>>             On Thu, Sep 15, 2016 at 8:21 PM, Daniel Bateman
>>>             <7daniel77@gmail.com <mailto:7daniel77@gmail.com>> wrote:
>>>
>>>                 Thank you for this clarification Stefan.
>>>
>>>                 Is this information published on the Ripple website
>>>                 and/or Ripple wiki? If not, may I ask why not?
>>>
>>>                 Best,
>>>                 Daniel
>>>
>>>                 On Sep 15, 2016 7:05 PM, "Stefan Thomas"
>>>                 <stefan@ripple.com <mailto:stefan@ripple.com>> wrote:
>>>
>>>                     What the article is referring to is that Ripple's
>>>                     bank customers will be moving real money through
>>>                     ILP-powered Ripple products starting Oct 1st.
>>>
>>>                     Note that we were developing ILP internally for some
>>>                     time before we decided that it should become open
>>>                     standard and released the white paper. For now the
>>>                     commercial implementation of ILP inside of Ripple
>>>                     products and the open-source work happening in this
>>>                     group are pretty separate. We're getting really good
>>>                     ideas and feedback from the banks using ILP and that
>>>                     feeds back into the community group work. And of
>>>                     course the end goal is to have it all interconnect
>>>                     some day.
>>>
>>>                     It'll take quite some time (and a lot of community
>>>                     traction) before the banks would even consider
>>>                     connecting to a public Interledger. Hence the
>>>                     importance of the work this group is doing that's
>>>                     unrelated to Ripple. For it to be a true standard
>>>                     there has to be lots of activity around it that
>>>                     isn't directly tied to us or our customers.
>>>
>>>                     On Thu, Sep 15, 2016 at 2:22 PM, win than aung
>>>                     <winthan@chomeaye.com <mailto:winthan@chomeaye.com>>
>>>                     wrote:
>>>
>>>                         Hi guys,
>>>
>>>                         I just saw this news
>>>                         - http://www.afr.com/technology/
>>> nab-westpac-part-of-ripples-new-global-payments-network-20160915-grgz81
>>>                         <http://www.afr.com/technology
>>> /nab-westpac-part-of-ripples-new-global-payments-network-20160915-grgz81
>>> >
>>>
>>>                             Ripple has created Ripple Connect, new
>>>                             technology to allow banks to talk to each
>>>                             other, and is developing its "interledger
>>>                             protocol", which will go live on October 1
>>>                             and provide the foundation for banks to
>>>                             directly connect their ledgers with each
>>>                             other without an intermediary.
>>>
>>>
>>>                         Is that ready to go live on Oct 1? Which ledgers
>>>                         are going to try out at live on Oct 1? Gatehub?
>>>                         any hints?
>>>
>>>                         Thanks,
>>>                         Winthan
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>


-- 
Evan Schwartz | Software Architect | Ripple
[image: ripple.com] <http://ripple.com>
Received on Tuesday, 20 September 2016 14:37:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 September 2016 14:37:41 UTC