[Taler] KYC support in GNU Taler (Part 2)

[Christian Grothoff]

Dear all,

NLnet has generously decided to support the work of Taler Systems SA in 
implementing KYC support in GNU Taler. I'm writing to give you an update 
on the next milestones.
https://docs.taler.net/taler-exchange-manual.html#oauth-2-0-specifics
in the exchange operator manual describes how an exchange operator would 
configure the OAuth 2.0 KYC plugin.  The following two sections explain 
how to configure two (sadly proprietary) KYC providers that are also 
supported. All of these providers use a "CONVERTER_HELPER" which serves 
to convert the KYC data returned by these providers into the Taler 
format. This is needed as all three choices can basically be used to 
collect and validate arbitrary attributes about the user. In the 
OAuth2.0 case this depends on the OAuth2.0 service, while the two 
proprietary providers support configuring different forms or templates 
for data collection. Depending on these forms, the CONVERTER_HELPER 
programs are JSON-to-JSON transformers that convert the data delivered 
by the KYC provider into the Taler format. "taler-exchange-kyc-*.sh" 
scripts are provided that perform this conversion. In some cases, these 
scripts download and encode additional data (like passport images) as well.
The GNU Taler Challenger service 
(https://docs.taler.net/taler-challenger-manual.html) is a compatible 
OAuth2.0 provider that can be used to validate phone numbers, e-mail 
addresses or postal addresses. It works with the OAuth2.0 KYC plugin 
described above. In principle, the Challenger service can be extended to 
validate any address to which a TAN code can be sent. It uses 
customizable HTML forms and helpers scripts to send the e-mail, SMS or 
physical mail with the TAN codes.
A simple demonstrator (with one of the KYC providers set up, I tend to 
switch them around, so which one you get may vary) is (sometimes) 
available at https://bank.taler.grothoff.org/. You will be forced to 
pass the KYC check if you try to withdraw more than 5 STATER. Note that 
the wallet UX may still not yet be optional, doing that nicely is 
another milestone. However, it should work, but you probably have to 
select the "pending" withdraw transaction manually to get the link to 
the KYC process.
Now for those that really want to read code:

* Challenger implementation is at
https://git.taler.net/challenger.git/

* KYC plugins for all 3 providers and sample conversion scripts are at 
https://git.taler.net/exchange.git/tree/src/kyclogic
Next steps (I will post here when ready):
* AML support (needs testing)
* Auditor support (in principle done, needs more testing)
* Work on wallet/merchant integrations (WiP)


Feedback welcome!

Happy hacking!

Christian