From f8d2c175ac4e17b23d7f49b7f6c282c8bb48fab1 Mon Sep 17 00:00:00 2001 From: Torsten Grote Date: Tue, 28 Jul 2020 16:20:20 -0300 Subject: Added section on exchange trust and regional currencies --- .../002-wallet-exchange-management.rst | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'design-documents/002-wallet-exchange-management.rst') diff --git a/design-documents/002-wallet-exchange-management.rst b/design-documents/002-wallet-exchange-management.rst index b3deee06..33d9857e 100644 --- a/design-documents/002-wallet-exchange-management.rst +++ b/design-documents/002-wallet-exchange-management.rst @@ -363,3 +363,37 @@ Alternatives * The UI could directly access the wallet's DB for more flexible access to the required data. But this would make the UI less robust against changes in wallet-core. + +Trust +===== + +Ideally, exchanges come with auditors that are trusted by the wallet and therefore the user. +An exchange responsible for a three-letter currency is required to have an auditor, +as these currencies are assumed to be legal tender in a nation state. + +If an exchange and/or an auditor are controlled by an attacker, they can steal user's funds. +Therefore, users should only use "official" auditors responsible for their currency. +As users should not be expected to know which auditors are official +nor perform technical verification steps, the wallet ships with auditors pre-installed. + +However, it should be possible to add a custom auditor, +in case the wallet is outdated or does not have a desired auditor for other reasons. +Since adding custom auditors is dangerous +and can be used to trick users into using malicious exchanges, +this operation should be accompanied by appropriate warnings and security confirmations. + +Taler also supports regional currencies which can have between 4 and 12 letters. +These are not required to have an auditor, but using one is encouraged. +Regional currencies should be shown separate from real currencies in the wallet's balance sheet +and be accompanied by their exchange +to allow for the fact that different regions or organisations chose the same currency code, +but uses different exchanges to handle the currency. + +Open Question: What happens if a regional currency wants to use more than one exchange? + +When withdrawing money to a regional currency exchange, +the user should be made aware of the fact that the currency of the exchange is not official. +A warning should be shown if a currency does not have an auditor +or the auditor is not trusted by the users. +If the user expressed trust for a regional currency's auditor, +no further warnings will be shown for the given currency. -- cgit v1.2.3