Re: [Taler] denomination manipulation

[Christian Grothoff]

1) RESTful API with 'GET" over HTTP implies that HTTP cache control
   is always a possibility; for /keys, this was made an explicit
   requirement a month ago:
   https://gnunet.org/bugs/view.php?id=4036
   (we tend update the spec based on what is implemented)

2) The fact that denomination keys change over time is ancient and
   part of basic operations; while we don't have a mint operators
   manual listing procedures explicitly, the feature is documented:
   https://gnunet.org/bugs/view.php?id=3634
   man taler-mint-keyup

So the question is more what you consider "the spec": man pages? Bug
reports on missing features? Or just api.taler.net (where yes, there I
think it is not yet explicit, pending #4036's resolution).

On 11/28/2015 05:22 AM, Jeff Burdges wrote:
> Alright, I'll grant that, if /keys actually auto-updates for say the
> mints for which the wallet holds coins, then over time the majority of
> /keys accesses will not be correlated to web page activity.  I believe
> that this should be enough to protect *existing* users against
> denomination manipulation attacks.*
> 
> This is NOT a part of the spec though, neither is cashing of /keys. 
>  You're wrong to complain that I'm highlighting these issues.