Re: CRL for the node Identities

Mike Hearn
 

With the addition reference states, it's possible to issue a red list which MUST be included in every transaction 
That's an interesting idea but we have to be careful with implementation choices: red listing as envisioned does not affect the validity of a tx, so including it in a transaction isn't necessary. It'd have to be a flow level thing because it's intended to trigger some sort of warning, action or ticket for human followup. But you can still keep and spend the tokens.

This is highly compatible with AML laws. Most actions taken under the global AML regime are not seizures or freezing of assets - that's a very rare step to take. The vast, vast majority of AML actions are the filing of SARs ("suspicious activity reports"). The Wikipedia page claims SARs are mostly a US thing but many other jurisdictions have the same requirement - AML law is basically invented by the USA, so you can assume its structure is global in nature. Difference between jurisdictions is largely a matter of aggressiveness and detail vs basic requirements.

Regulated entities are meant to file SARs when something is "suspicious" but they have no specific reason to block a transaction or seize funds. This is necessary because banks aren't law enforcement agencies and lack subpoena power, so they can't really investigate things themselves. They have to tell LE and let regulators/LE work together to start a real investigation.

Important to note - you aren't allowed to inform someone you consider their activities suspicious. This is called "tipping off" and is itself considered money laundering (the vast array of things that fall under the rubric of money laundering is one of the reasons everyone always seems to be doing it!). The idea is: if you did inform someone they were being reported, they would go searching for another bank that wasn't reporting them. Obvious, really, but it has interesting side effects.

By implication, even if "suspiciousness" could be expressed as precisely as a list of StateRefs (it can't), you wouldn't be able to publish it on-ledger. Even if you could it'd be pointless because being transiently red-listed due to propagation of an earlier red-list should trigger some sort of ticket that leads to a human filling out a SAR and faxing it to the regulator: that's what flows are for. You could even automate the SAR process using flow logic!

How can you implement redlisting that's compliant with the spirit of "tipping off"? Good question. Maybe SGX to the rescue again? Or maybe some sort of smart cryptography can help. Perhaps what we really want is to decentralise the act of AML enforcement via SGX enclaves, such that people can test transactions for "suspiciousness" or "seize-y-ness" without being able to understand the underlying logic. It'd give us reliability and decentralisation, whilst still fitting with the basic goals of the regulations.

Join corda-dev@groups.io to automatically receive all group messages.