summaryrefslogtreecommitdiff
path: root/design-documents
diff options
context:
space:
mode:
Diffstat (limited to 'design-documents')
-rw-r--r--design-documents/002-wallet-exchange-management.rst34
1 files changed, 34 insertions, 0 deletions
diff --git a/design-documents/002-wallet-exchange-management.rst b/design-documents/002-wallet-exchange-management.rst
index b3deee06..33d9857e 100644
--- a/design-documents/002-wallet-exchange-management.rst
+++ b/design-documents/002-wallet-exchange-management.rst
@@ -363,3 +363,37 @@ Alternatives
* The UI could directly access the wallet's DB for more flexible access to the
required data. But this would make the UI less robust against changes in wallet-core.
+
+Trust
+=====
+
+Ideally, exchanges come with auditors that are trusted by the wallet and therefore the user.
+An exchange responsible for a three-letter currency is required to have an auditor,
+as these currencies are assumed to be legal tender in a nation state.
+
+If an exchange and/or an auditor are controlled by an attacker, they can steal user's funds.
+Therefore, users should only use "official" auditors responsible for their currency.
+As users should not be expected to know which auditors are official
+nor perform technical verification steps, the wallet ships with auditors pre-installed.
+
+However, it should be possible to add a custom auditor,
+in case the wallet is outdated or does not have a desired auditor for other reasons.
+Since adding custom auditors is dangerous
+and can be used to trick users into using malicious exchanges,
+this operation should be accompanied by appropriate warnings and security confirmations.
+
+Taler also supports regional currencies which can have between 4 and 12 letters.
+These are not required to have an auditor, but using one is encouraged.
+Regional currencies should be shown separate from real currencies in the wallet's balance sheet
+and be accompanied by their exchange
+to allow for the fact that different regions or organisations chose the same currency code,
+but uses different exchanges to handle the currency.
+
+Open Question: What happens if a regional currency wants to use more than one exchange?
+
+When withdrawing money to a regional currency exchange,
+the user should be made aware of the fact that the currency of the exchange is not official.
+A warning should be shown if a currency does not have an auditor
+or the auditor is not trusted by the users.
+If the user expressed trust for a regional currency's auditor,
+no further warnings will be shown for the given currency.