[E-Lang] ERTP-aware MintMaker

hal@finney.org hal@finney.org
Tue, 13 Feb 2001 20:24:09 -0800

This may go away once Mark fixes that other problem with vouch, but the
following code seems a little risky to me:

>                 to transfer(var src,var dest) { 
>                     src := issuer vouch(src)
>                     dest := issuer vouch(dest)
>                     unsealer unseal(src.decr)(quantity)
>                     unsealer unseal(dest.incr)(quantity)
>                 }

It is not wrong, but it is brittle in that "vouch" works OK for both
purses and assays.  In this case we expect it to be used for a purse,
and indeed only purses will respond to the getDecr message implicit
in src.decr.

However if at some point in the future someone unthinkingly adds a getDecr
message to assay, they will have opened up the possibility that an assay
could be passed as src to this code.  Then it will no longer throw the
exceptions that prevent a fraud from being put across.

It seems risky to have the security depend on the fact that only certain
objects will respond to messages with particular names.