|author||Torsten Grote <email@example.com>||2020-07-28 16:20:20 -0300|
|committer||Torsten Grote <firstname.lastname@example.org>||2020-07-28 16:20:20 -0300|
Added section on exchange trust and regional currencies
Diffstat (limited to 'design-documents')
1 files changed, 34 insertions, 0 deletions
diff --git a/design-documents/002-wallet-exchange-management.rst b/design-documents/002-wallet-exchange-management.rst
index b3deee0..33d9857 100644
@@ -363,3 +363,37 @@ Alternatives
* The UI could directly access the wallet's DB for more flexible access to the
required data. But this would make the UI less robust against changes in wallet-core.
+Ideally, exchanges come with auditors that are trusted by the wallet and therefore the user.
+An exchange responsible for a three-letter currency is required to have an auditor,
+as these currencies are assumed to be legal tender in a nation state.
+If an exchange and/or an auditor are controlled by an attacker, they can steal user's funds.
+Therefore, users should only use "official" auditors responsible for their currency.
+As users should not be expected to know which auditors are official
+nor perform technical verification steps, the wallet ships with auditors pre-installed.
+However, it should be possible to add a custom auditor,
+in case the wallet is outdated or does not have a desired auditor for other reasons.
+Since adding custom auditors is dangerous
+and can be used to trick users into using malicious exchanges,
+this operation should be accompanied by appropriate warnings and security confirmations.
+Taler also supports regional currencies which can have between 4 and 12 letters.
+These are not required to have an auditor, but using one is encouraged.
+Regional currencies should be shown separate from real currencies in the wallet's balance sheet
+and be accompanied by their exchange
+to allow for the fact that different regions or organisations chose the same currency code,
+but uses different exchanges to handle the currency.
+Open Question: What happens if a regional currency wants to use more than one exchange?
+When withdrawing money to a regional currency exchange,
+the user should be made aware of the fact that the currency of the exchange is not official.
+A warning should be shown if a currency does not have an auditor
+or the auditor is not trusted by the users.
+If the user expressed trust for a regional currency's auditor,
+no further warnings will be shown for the given currency.