summaryrefslogtreecommitdiff
path: root/design-documents
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2020-07-29 12:47:48 +0200
committerChristian Grothoff <christian@grothoff.org>2020-07-29 12:47:48 +0200
commit407837def5ee00b78ff8e3ecb0698280be167e61 (patch)
tree49b3c8b36f4ae9533c4c6ebd947e07b08e2b94fa /design-documents
parentf8d2c175ac4e17b23d7f49b7f6c282c8bb48fab1 (diff)
downloaddocs-407837def5ee00b78ff8e3ecb0698280be167e61.tar.gz
docs-407837def5ee00b78ff8e3ecb0698280be167e61.tar.bz2
docs-407837def5ee00b78ff8e3ecb0698280be167e61.zip
expanding on wallet exchange management
Diffstat (limited to 'design-documents')
-rw-r--r--design-documents/002-wallet-exchange-management.rst93
1 files changed, 63 insertions, 30 deletions
diff --git a/design-documents/002-wallet-exchange-management.rst b/design-documents/002-wallet-exchange-management.rst
index 33d9857..d70a799 100644
--- a/design-documents/002-wallet-exchange-management.rst
+++ b/design-documents/002-wallet-exchange-management.rst
@@ -93,6 +93,22 @@ Con:
=> Maybe non-permanent exchanges can be "sticky" to some particular
withdrawal session?
+=> CG: Eh, I was expecting there to be a way to remove exchanges at least
+ from the list of _trusted_ exchanges (if I view the full list, maybe
+ with a trash bin or a swipe-to-remove functionality, or maybe on the
+ "detailed view" of the exchange where I can review TOS/PP).
+ Now, if there are coins actively withdrawn from the exchange, that would
+ _only_ remove the exchange from the trusted list (what the user sees),
+ and once all coins have been spent, we could stop refreshing /keys
+ for that exchange and thus truly "deactivate" it. And once all spent coins
+ have been "garbage collected", we can then truly forget about everything.
+ (See above about garbage collection of exchanges.)
+
+ [The auditor list view should also have a similar way to remove auditors.]
+
+ So I'm not sure why you are saying that we are not planning on
+ having a "mechanism to remove exchanges".
+
Proposed Solution
=================
@@ -367,33 +383,50 @@ Alternatives
Trust
=====
-Ideally, exchanges come with auditors that are trusted by the wallet and therefore the user.
-An exchange responsible for a three-letter currency is required to have an auditor,
-as these currencies are assumed to be legal tender in a nation state.
-
-If an exchange and/or an auditor are controlled by an attacker, they can steal user's funds.
-Therefore, users should only use "official" auditors responsible for their currency.
-As users should not be expected to know which auditors are official
-nor perform technical verification steps, the wallet ships with auditors pre-installed.
-
-However, it should be possible to add a custom auditor,
-in case the wallet is outdated or does not have a desired auditor for other reasons.
-Since adding custom auditors is dangerous
-and can be used to trick users into using malicious exchanges,
-this operation should be accompanied by appropriate warnings and security confirmations.
-
-Taler also supports regional currencies which can have between 4 and 12 letters.
-These are not required to have an auditor, but using one is encouraged.
-Regional currencies should be shown separate from real currencies in the wallet's balance sheet
-and be accompanied by their exchange
-to allow for the fact that different regions or organisations chose the same currency code,
-but uses different exchanges to handle the currency.
-
-Open Question: What happens if a regional currency wants to use more than one exchange?
-
-When withdrawing money to a regional currency exchange,
-the user should be made aware of the fact that the currency of the exchange is not official.
-A warning should be shown if a currency does not have an auditor
-or the auditor is not trusted by the users.
-If the user expressed trust for a regional currency's auditor,
-no further warnings will be shown for the given currency.
+Ideally, exchanges come with auditors that are trusted by the wallet and
+therefore the user. An exchange responsible for a three-letter currency is
+required to have an auditor, as these currencies are assumed to be legal
+tender in a nation state.
+
+If an exchange and/or an auditor are controlled by an attacker, they can steal
+user's funds. Therefore, users should only use "official" auditors
+responsible for their currency. As users should not be expected to know which
+auditors are official nor perform technical verification steps, the wallet
+ships with auditors pre-installed.
+
+It is assumed that -- from the user's point of view -- all auditors for a
+given currency are equivalent and that (modulo fees) there are no significant
+differences between the coins (fungibility) because most merchants will accept
+coins from exchanges of any auditor. Thus, there is no need for the user
+interface to explicitly show the auditor for audited currencies, and we only
+show the currency code. This is mandatory for three-letter currencies, but also
+expected to hold for other currency codes if an auditor is used.
+
+It must be possible to add a custom auditor, for example in case the wallet is
+outdated, someone is setting up an experimental deployment and wants to test
+it with the wallet, or simply to ensure that the user always has the last word
+about whom to trust. Since adding custom auditors is dangerous and can be
+used to trick users into using malicious exchanges, this operation should be
+accompanied by appropriate warnings and security confirmations.
+
+Taler also supports regional currencies which are represented using currency
+codes between 4 and 12 letters. These are not required to have an auditor.
+Regional currencies should be shown separate from real currencies in the
+wallet's balance sheet. If a regional currency does not have an auditor, its
+balance display in the user interface will be accompanied by their exchange's
+URL to allow for the fact that different regions or organisations may choose
+the same currency code, but use different and non-interoperable exchanges to
+handle the independent currencies.
+
+If a regional currency wants to use more than one exchange, it must use an
+auditor. In this case, operators must ensure that from the user's point of
+view, the coins of the different exchanges are interoperable. If a regional
+exchange has an auditor, the regional currency code will be shown together
+with the URL of the auditor instead of the URL of the exchange.
+
+When withdrawing money from a regional currency exchange, the user should be
+made aware of the fact that the currency of the exchange is not "official". A
+warning should be shown if a currency does not have an auditor or the auditor
+is not trusted by the users. If the user expressed trust for a regional
+currency's auditor or a regional currency's exchange, no further warnings will
+be shown for the given currency.