[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Draft: Directory agreement in Type III



On Thu, 14 Aug 2003 13:22:21 -0400, Nick Mathewson <nickm@freehaven.net> wrote:

Mixminion directory agreement protocol -- draft
Nick Mathewson
13 August 2003

- When the protocol succeeds, it should create a directory
signed by a large quorum of directory servers.  If at least
half of the quorum has signed a directory, clients should be
able to trust that directory.
See Steve's point. This seems rather arbitrary to me. Why only half and not e.g. 75%? Why not 80%?

- If an attacker controls less than half of the directory
servers in a quorum, the attacker should not be able to sign
up an arbitrary number of nodes.
Tricky. Because if the attacker controls _more_ than half of the direcoty servers, and aspires to do so using multiple servers or accomplises .....

- If at least half of the directory servers in a quorum are
running, cooperative, and able to communicate, then they
should produce a signed directory.
I assume that the directory servers will always include 'friendly' mixes (like a friends mix). Also, even the best servers go down and it would be nice to include them even if they are down. (IMO)

- If a directory server do not obey the protocol, other servers
should be able to prove it.
Seems like a recipy for trouble if you asked me! Divide and Conquer is what is happening in APA-S already. I think it is best not to point fingers and for directory server administrators to keep a low profile instead of fighting with other directory servers, if only to keep mailing lists like this readable.

Conflicts arise easily on the internet and are solved rarely (I have also been quilty of this I must admit).


2.3. What directory servers know

- Whether it considers the mix 'credible'.  (A mix is 'credible'
if the directory server thinks it is honest.  Different
directory servers may have different criteria here: Some
directory servers will consider new mixes as automatically
'credible' unless they have evidence of their dishonesty;
others will consider new mixes as 'non-credible' at first,
and list them as 'credible' after a probationary period.)
This seems also to cause more problems than it solves IMO. Honest means that a mix tries to be reliable -> which it can't guaranty depending on his ISP; it does not attack the network -> which at least cannot be proved (or disproved) in the current mixmaster network; and it doesn't break users' anonimity.

If this credibility becomes automated in clients, I forsee lots of trouble in arriving at a single directory each day. Every directory server admin will have it's own set of 'credible' and 'honest' mixes. It might even not be the fault of a certain mix that it loses mail. The fault might also be on the receiving or even sending side which might lead to a lot of finger pointing and unhealty discussions (high bloodpressure kind of discussions).



Oops, I suddenly (reading 2.4 and having some thoughts about Hall of Fame lists at the directory servers in an attempt to 'sort' them deterministically) realize some way to seriously destroy the mixminion network. It would be possible to totally DoS like half the servers on 'todays' directory, which will make them unhonest and skipped the next day, and then the remaining half (or a quarter) could be DoSsed. I don't think mixmaster is this vulnerable because the keys last longer and it is hard to flood all the remailers at once (though some do go down after an attack IIRC from the past in APA-S). Just a troubling thought..

Regards,
Thomas
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/