From 407837def5ee00b78ff8e3ecb0698280be167e61 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Wed, 29 Jul 2020 12:47:48 +0200 Subject: expanding on wallet exchange management --- .../002-wallet-exchange-management.rst | 93 +++++++++++++++------- 1 file changed, 63 insertions(+), 30 deletions(-) (limited to 'design-documents') diff --git a/design-documents/002-wallet-exchange-management.rst b/design-documents/002-wallet-exchange-management.rst index 33d9857e..d70a799c 100644 --- a/design-documents/002-wallet-exchange-management.rst +++ b/design-documents/002-wallet-exchange-management.rst @@ -93,6 +93,22 @@ Con: => Maybe non-permanent exchanges can be "sticky" to some particular withdrawal session? +=> CG: Eh, I was expecting there to be a way to remove exchanges at least + from the list of _trusted_ exchanges (if I view the full list, maybe + with a trash bin or a swipe-to-remove functionality, or maybe on the + "detailed view" of the exchange where I can review TOS/PP). + Now, if there are coins actively withdrawn from the exchange, that would + _only_ remove the exchange from the trusted list (what the user sees), + and once all coins have been spent, we could stop refreshing /keys + for that exchange and thus truly "deactivate" it. And once all spent coins + have been "garbage collected", we can then truly forget about everything. + (See above about garbage collection of exchanges.) + + [The auditor list view should also have a similar way to remove auditors.] + + So I'm not sure why you are saying that we are not planning on + having a "mechanism to remove exchanges". + Proposed Solution ================= @@ -367,33 +383,50 @@ Alternatives Trust ===== -Ideally, exchanges come with auditors that are trusted by the wallet and therefore the user. -An exchange responsible for a three-letter currency is required to have an auditor, -as these currencies are assumed to be legal tender in a nation state. - -If an exchange and/or an auditor are controlled by an attacker, they can steal user's funds. -Therefore, users should only use "official" auditors responsible for their currency. -As users should not be expected to know which auditors are official -nor perform technical verification steps, the wallet ships with auditors pre-installed. - -However, it should be possible to add a custom auditor, -in case the wallet is outdated or does not have a desired auditor for other reasons. -Since adding custom auditors is dangerous -and can be used to trick users into using malicious exchanges, -this operation should be accompanied by appropriate warnings and security confirmations. - -Taler also supports regional currencies which can have between 4 and 12 letters. -These are not required to have an auditor, but using one is encouraged. -Regional currencies should be shown separate from real currencies in the wallet's balance sheet -and be accompanied by their exchange -to allow for the fact that different regions or organisations chose the same currency code, -but uses different exchanges to handle the currency. - -Open Question: What happens if a regional currency wants to use more than one exchange? - -When withdrawing money to a regional currency exchange, -the user should be made aware of the fact that the currency of the exchange is not official. -A warning should be shown if a currency does not have an auditor -or the auditor is not trusted by the users. -If the user expressed trust for a regional currency's auditor, -no further warnings will be shown for the given currency. +Ideally, exchanges come with auditors that are trusted by the wallet and +therefore the user. An exchange responsible for a three-letter currency is +required to have an auditor, as these currencies are assumed to be legal +tender in a nation state. + +If an exchange and/or an auditor are controlled by an attacker, they can steal +user's funds. Therefore, users should only use "official" auditors +responsible for their currency. As users should not be expected to know which +auditors are official nor perform technical verification steps, the wallet +ships with auditors pre-installed. + +It is assumed that -- from the user's point of view -- all auditors for a +given currency are equivalent and that (modulo fees) there are no significant +differences between the coins (fungibility) because most merchants will accept +coins from exchanges of any auditor. Thus, there is no need for the user +interface to explicitly show the auditor for audited currencies, and we only +show the currency code. This is mandatory for three-letter currencies, but also +expected to hold for other currency codes if an auditor is used. + +It must be possible to add a custom auditor, for example in case the wallet is +outdated, someone is setting up an experimental deployment and wants to test +it with the wallet, or simply to ensure that the user always has the last word +about whom to trust. Since adding custom auditors is dangerous and can be +used to trick users into using malicious exchanges, this operation should be +accompanied by appropriate warnings and security confirmations. + +Taler also supports regional currencies which are represented using currency +codes between 4 and 12 letters. These are not required to have an auditor. +Regional currencies should be shown separate from real currencies in the +wallet's balance sheet. If a regional currency does not have an auditor, its +balance display in the user interface will be accompanied by their exchange's +URL to allow for the fact that different regions or organisations may choose +the same currency code, but use different and non-interoperable exchanges to +handle the independent currencies. + +If a regional currency wants to use more than one exchange, it must use an +auditor. In this case, operators must ensure that from the user's point of +view, the coins of the different exchanges are interoperable. If a regional +exchange has an auditor, the regional currency code will be shown together +with the URL of the auditor instead of the URL of the exchange. + +When withdrawing money from a regional currency exchange, the user should be +made aware of the fact that the currency of the exchange is not "official". A +warning should be shown if a currency does not have an auditor or the auditor +is not trusted by the users. If the user expressed trust for a regional +currency's auditor or a regional currency's exchange, no further warnings will +be shown for the given currency. -- cgit v1.2.3