commit 2afd4c128bf151552b23b14c9f7ee2b0cb260385
parent 879739666fd6f37b2f193716d62c06c0447cae71
Author: Mikolai Gütschow <mikolai.guetschow@tu-dresden.de>
Date: Mon, 30 Jun 2025 10:43:10 +0200
protocol/payment: hint on potential usage of nonce
Diffstat:
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/draft-guetschow-taler-protocol.md b/draft-guetschow-taler-protocol.md
@@ -449,7 +449,7 @@ nonce = EdDSA-Keygen() |
persist nonce.priv |
| |
|------- /orders/{order.id}/claim ------>|
- | (nonce, token?) |
+ | (nonce.pub, token?) |
| |
| h_wire = HKDF(wire_salt, payto,
| "merchant-wire-signature", 64)
@@ -484,8 +484,6 @@ persist (contract, sig, *deposit) |
check EdDSA-Verify(merchant.pub, msg2, sig2) |
~~~
-TODO: discuss - nonce doesn't strictly need to be EdDSA keypair?
-
where `msg0`, `*msg1`, and `msg2` are formed as follows:
~~~
@@ -505,6 +503,11 @@ msg2 = bigEndian(32, 72) | bigEndian(32, 1104) /* TALER_SIGNATURE_MERCHANT_PAYME
(without age restriction, policy and wallet data hash)
+Note that the private key of `nonce` is currently not used anywhere in the protocol.
+However, it could be used in the future to prove ownership of an order transaction,
+enabling use-cases such as "unclaiming" or transferring an order to another person,
+or proving the payment without resorting to the individual coins.
+
## Deposit
~~~
