I have a couple of problems/complaints with your ecash project. When I was sent my Acct ID and Passwd they were sent to me plain text instead of being PGP-encrypted first. This means that some malicious hacker could have intercepted the e-mail message and stolen the free cyber-bucks you were so generous as to give me. Second, on the WWW-page where one downloads the software it does not seem to do a secure connection between my browser and your server (on netscape there is a small key in the lower-left hand corner that is supposed to show when one is securely connected to a secure server). So someone could sniff my password from the transaction when I GET the software. Also When I'm buying/selling things it would be smart for all parties involved to be using PGP, and I think you should stress this point more in your page. Otherwise this is another vulnerable point in your system IMHO.
Let's get this straight before spreading more of these vicious rumours that can easily get misinterpreted. DigiCash is an R&D company developing ecash. We license out our technology to banks. We are running the trial, but only have limited resources to do so. This may result in long waiting time for accounts or no answer on a tech support mail. (We are of course trying to prevent this). In a real-money system, the password can of course not be sent out in plain mail. Either it has to be transferred out-of-band (phone, paper) or PGP'd. But that would require at least ten people answering the phones, sending snailmail, etc. We do not have the resources to do so, so we send out the password plain. A malicious hacker may snatch the password and open the account for you and steal your cb$100. This, however, is not related to the security of the transactions once you open the account! The password is only for starting up the account. And of course downloading on a secure server is not relevant. The software is the same for everyone! It is just not put out for public downloading because it would mean a hundred times more people asking for tech support. It would be more secure if we used different passwords for downloading and for opening the accounts but again, that would give a LOT more problems. PGP does not add any security in the payment system. Ecash is already secure. Feel free to ask us the questions before publicly posting. It will prevent misunderstandings and libel lawsuits. // Marcel van der Peijl, DigiCash bv, http://www.digicash.com/~bigmac/ // "If you had to tell the Whole Truth, you'd never shut up."