Re: [Taler] denomination manipulation

[Jeff Burdges]

On Thu, 2015-11-26 at 17:18 +0100, Sree Harsha Totakura wrote:
> Alternatively, we can have anonymous ombudsmen to keep checking the
> mints' keys anonymously and if there happens to be any foul play by a
> mint, they can be then able to prove it since all the lists are
> signed
> by the mint.

No.  The attacks I describe are highly targeted.  Your user ombudsmen
will never see the bad denominations.

Now if your ombudsmen includes both users and merchants then the bad
mint is restricted to modifying only the denomination lists for users
it's interested in snagging, which makes the attack slightly harder.

Along this line, there is a partial protection against this attack :
Merchants should always publish the hash of the signed full list of
denominations they accept from a particular mint, or maybe the full
list itself.  And wallets should refuse to work with merchants who's
list does not appear familiar, even if acceptable denominations exist
in their list.  

We should've stuff quite close to this already to prevent users from
attempting to use denominations merchants do not accept, but I'm not
sure if we process it at the level of full lists.  I'll check the API
in a bit. 

Jeff

signature.asc
Description: This is a digitally signed message part