Now I am fully confused. I thought a property of Chaumian DigiCash was that a coin *had* to go back to the bank before it could be spent again. Yet all "coin exchange" schemes discussed here recently involve Alice paying Bob who then sends the coin to Carol's Exchange who then sends it to the bank while sending some other value, maybe a Carol coin, to Bob. Logically, I can see at least four possibilities: 1) payee data is encoded onto the coin at time of payment, making it impossible for Carol to bank the coin. I see no evidence of this in the docs at the Digicash site, but I just rechecked quickly and may have missed it. 2) No payee data as such is encoded on the coin but it is marked "spent" to prevent multiple uses by payee to the detriment of payor. ditto on the evidence. 3) the Digicash software only allows you to send a "spent" coin to the bank. You have to hack the software to send the coin to Carol (do you have to break your own key?). 4) nothing in the DigiCash software or protocol prevents you from sending a coin to Carol so long as you trust Carol not to get you in trouble by misusing the coin in some way. That's why Chaum is interested in hardware based agents that would keep you from respending coins you receive. No doubt there are others. Anyone know what the reality is? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here.