[E-Lang] MintMaker with ACLs

Mark S. Miller markm@caplet.com
Tue, 30 Jan 2001 12:17:38 -0800

As I mentioned earlier, I'm trying to postpone participation in threads like 
this till weekends, but I had to respond to this immediately, as I think 
that, at best, the language in here is misleading and could easily be 

In fact, in terms of the kinds of vulnerability MarcS explains -- reliance 
on the Mint or Bank, the MintMaker is vastly closer to Hal's bank than it is 
to MarcS' example -- physical cash.

Cash has better security properties than seem possible in the electronic 
realm.  The MintMaker is not only vastly weaker than cash, it is vastly 
weaker than possible electronic monies, as the text introducing the 
MintMaker should make clear.  Finally, I believe the MintMaker is somewhat 
stronger than Hal's bank for reasons related to MarcS' message, but I 
haven't yet had the time to examine Hal's bank closely.

At 11:46 AM Tuesday 1/30/01, Marc Stiegler wrote:
>This new version may or may not answer an issue that I have that is not
>quite Tyler's issue, though it is related to the difference between a mint
>that makes money and a bank that tracks people's accounts.
>Physical metaphor: My car breaks down in the Appalachians, a barefoot
>14-year-old kid comes down from a ramshackle shanty and helps me get it
>started. I give him a 20-dollar bill as thanks for helping out.

The security properties of this put anything possible with computers to 
shame.  (Assuming non-counterfeitable bills, of course.)

>The kid does not need an account with a bank, he merely needs a hand with
>which to grasp the money. 

A Purse is much closer to an account at the bank than it is to cash.  The 
Mint can know of any transaction involving a Purse, and can alter these 
balances at will.

>No bank is in a position to know that it was the
>kid who got the money, so if someone at the bank has a grudge against that
>kid, too bad for the grudge holder: they cannot diddle the account to take
>the money from him. 

If someone at the Mint suspects that a given Purse is held by the kid, he 
can do likewise.

>Though the mint owner (the government in the case of
>dollars) can defile the currency, they cannot target the boy for
>confiscation. And the bank cannot say, "this boy is untrustworthy and we
>will not grant him an account, at least not until he has done the following
>things to prove to us that he is properly subservient."

If they can figure out which Purses are held by the kid, they can do exactly 
the same.  Since we have neither untraceability (as a mix network could 
provide) nor unlinkability (as blinding would provide), we cannot make 
strong assumptions about the inability of the Mint (or its employees) to 
link Purses to their holder.

>The MintMaker supports the electronic equivalent of this interaction. I can
>give money to people (and computing objects) who don't have and don't want
>accounts--why should I have to get an account just to accept payment? Save
>me from this hassle!

Each Purse is an account, and each holder of a capability to a Purse thereby 
has an account.

>Another way of looking at this is, a mint has less authority, and needs less
>authority, than a bank. A mint must be trusted to do good accounting, but it
>does not have to be trusted with the knowledge of who owns how much, since
>it only knows about purses, and purses map many-to-many on owners of purses.
>This makes it very different from a bank.

This is all true and important.