From ef0eb9e5bf1f0ff18c498e9e7882f75aa7a2576c Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Tue, 14 Jul 2020 21:10:55 +0200 Subject: improve documentation on which invariants are checked by which auditor helper --- doc/system/taler/design.tex | 2 +- doc/system/taler/implementation.tex | 26 ++++++++++++++++---------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/doc/system/taler/design.tex b/doc/system/taler/design.tex index 3590b8fb1..de91daa13 100644 --- a/doc/system/taler/design.tex +++ b/doc/system/taler/design.tex @@ -555,7 +555,7 @@ security of an exchange as part of the certification process. -\subsubsection{Compromise of Signing Keys} +\subsubsection{Compromise of Signing Keys} \label{sec:signkey:compromise} When a signing key is compromised, the attacker can pretend to be a merchant and forge deposit confirmations. To forge a deposit diff --git a/doc/system/taler/implementation.tex b/doc/system/taler/implementation.tex index 4bed97fd1..973e97894 100644 --- a/doc/system/taler/implementation.tex +++ b/doc/system/taler/implementation.tex @@ -1056,23 +1056,29 @@ auditor. The list of invariants checked by this tool thus includes: \begin{itemize} -\item emergency on denominations because the value or number +\item Testing for an + emergency on denominations because the value or number of coins deposited exceeds the value or number of coins issued; if this happens, the exchange should revoke the respective denomination. -\item various arithmetic inconsistencies from exchanges +\item Checking for arithmetic inconsistencies from exchanges not properly calculating balances or fees during the various coin operations (withdraw, deposit, melt, refund); -\item signatures being wrong for denomination key revocation, - coin denomination signature, - or coin operations (deposit, melt, refund, recoup) -\item denomination keys not being known to the auditor -\item denomination keys being actually revoked if a recoup - is granted -\item coins being melted but not (yet) recouped +\item That signatures are correct for denomination key revocation, + coin denominations, + and coin operations (deposit, melt, refund, recoup) +\item That denomination keys are known to the auditor. +\item That denomination keys were actually revoked if a recoup + is granted. +\item Whether there exists refresh sessions from coins that + have been melted but not (yet) revealed (this can be harmless and no fault of the exchange, but could also be indicative of an exchange failing to process - certain requests in a timely fashion) + certain requests in a timely fashion). +\item That the refund deadline is not after + the wire deadline (while harmless, such a deposit + makes inconsistent requirements and should have been + rejected by the exchange). \end{itemize} -- cgit v1.2.3