taler-docs

Documentation for GNU Taler components, APIs and protocols
Log | Files | Refs | README | LICENSE
commit f8d2c175ac4e17b23d7f49b7f6c282c8bb48fab1
parent b25e82b40b71ab5e8d73f552e13340d27d111884
Author: Torsten Grote <t@grobox.de>
Date:   Tue, 28 Jul 2020 16:20:20 -0300

Added section on exchange trust and regional currencies

Diffstat:

Mdesign-documents/002-wallet-exchange-management.rst | 34++++++++++++++++++++++++++++++++++


1 file changed, 34 insertions(+), 0 deletions(-)

diff --git a/design-documents/002-wallet-exchange-management.rst b/design-documents/002-wallet-exchange-management.rst
@@ -363,3 +363,37 @@ Alternatives
 * The UI could directly access the wallet's DB for more flexible access to the
   required data.  But this would make the UI less robust against changes in wallet-core.
 
+
+Trust
+=====
+
+Ideally, exchanges come with auditors that are trusted by the wallet and therefore the user.
+An exchange responsible for a three-letter currency is required to have an auditor,
+as these currencies are assumed to be legal tender in a nation state.
+
+If an exchange and/or an auditor are controlled by an attacker, they can steal user's funds.
+Therefore, users should only use "official" auditors responsible for their currency.
+As users should not be expected to know which auditors are official
+nor perform technical verification steps, the wallet ships with auditors pre-installed.
+
+However, it should be possible to add a custom auditor,
+in case the wallet is outdated or does not have a desired auditor for other reasons.
+Since adding custom auditors is dangerous
+and can be used to trick users into using malicious exchanges,
+this operation should be accompanied by appropriate warnings and security confirmations.
+
+Taler also supports regional currencies which can have between 4 and 12 letters.
+These are not required to have an auditor, but using one is encouraged.
+Regional currencies should be shown separate from real currencies in the wallet's balance sheet
+and be accompanied by their exchange
+to allow for the fact that different regions or organisations chose the same currency code,
+but uses different exchanges to handle the currency.
+
+Open Question: What happens if a regional currency wants to use more than one exchange?
+
+When withdrawing money to a regional currency exchange,
+the user should be made aware of the fact that the currency of the exchange is not official.
+A warning should be shown if a currency does not have an auditor
+or the auditor is not trusted by the users.
+If the user expressed trust for a regional currency's auditor,
+no further warnings will be shown for the given currency.