On Thu, Mar 08, 2007 at 11:47:02PM -0500, Roger Dingledine wrote: [...] > More generally, is it possible to come up with a dynamic value of "2 > months" that is a function of the current network, so we will also see > some protection when there are no nodes that have been up for that long, > or when nearly all the nodes have been up for that long? Or is the whole > point that we're vulnerable to attack if we don't use a fixed cap? I think a fix_able_ cap probably gets us most of the benefit: if we change the cap, only the directory servers need to change their code or configuration. Really, though, this is a band-aid, and we don't want to make it too sophisticated. Remember that 'uptime' is a bad proxy for the property we want the 'Stable' flag to measure. Mean time between failures would approximate stability better, I think. Directory authorities already track whether routers seem to be running; if they can remember _how long_ they've believed each router to be running, and how long it was running before that, we can stop having the directory authorities look at uptime at all. The coding would be marginally harder for that approach, but hardly prohibitive. yrs, -- Nick Mathewson
Attachment:
pgpqm4F5To7Qe.pgp
Description: PGP signature