[Oops -- I sent that too early. Finishing up...]
On Wed, 2003-08-20 at 14:49, Nick Mathewson wrote:
[...]
> I think that the protocol I've outlined resists social engineering
> attacks fairly well, for these reasons:
> 1. In order to be a member in a voting quorum, you must agree with
> all the members of that quorum about who the voting members are.
> 2. When a single trust relationship is removed from a quorum, the
> 'friendliness' criterion favors removing the member who broke
> the relationship, until there is a unique largest subquorum.
> (In other words, if N1...N5 all trust one another, and N1 drops
> his trust relationship to N2, *N1* is removed from the quorum.
> On the other hand, if N1 and N2 stop trusting N3, *N3* is
> removed from the quorum.)
These last two points force directory servers to agree with one another,
lest they be removed from the voting quorum. Therefore, even if an
operator is *convinced* that another directory server is being
dishonest, he needs to persuade others that that directory server is
dishonest in order to get it removed.
3. For a new server to join the voting quorum, it needs to
persuade all but one of the servers in the quorum to trust it,
and it needs to trust all the servers in the quorum. (If the
last server out does not trust the new server, that server is
removed. If it does trust the new server, it is retained.)
This way, there is a way for new servers to join up. (I fear that if
one isn't provided, it'd persuade newbies who want to start directory
servers to start advertising their own independent services, and to
attack the voting quorum as a "sekrit cabal.")
--
Nick
Attachment:
signature.asc
Description: This is a digitally signed message part