[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: First go at directory server details



On Sun, Jan 12, 2003 at 01:05:43AM -0800, Len Sassaman wrote:
> This is a "best is the enemy of the good enough" situation. I am convinced
> that if we continue down this path, Type III will fail to be adopted.
> Users and remops will never sign on to a system which can be rendered
> inoperable with the simple failure of four servers.

If we let users operate with the last valid directory, I don't think
things would get too out of hand too quickly. Alternatively, if we let
them operate with the most recent claimed directory, fetched from their
favorite server, even if it doesn't have enough signatures, that could
work too.

Let's change my original post to say that directories include all
serverdescs, whether active or not, and either they're marked active
based on consensus, or they're annotated by how many signatures each
one got towards being active.

While we're pondering this issue (and we're not going to solve it
overnight, I'm afraid), can you give us an overview of how you see
remailer information getting propagated? Just so we have an idea of what
we're comparing to. Because my goal for directories is not to add in a
brittle and dangerous extension :), but rather to match the base case
and provide better service when possible.

> I am also find Roger's assertion that two remailers using slightly
> different directories are participating in two different anonymity sets to
> be misleading. There is the issue of overlapping, rather than distinctly
> different, anonymity sets that we must consider. These are not the same
> beasts.

The problem is that when user A uses directory A' and user B uses
directory B', A' and B' differ by even a few nodes, and the users choose
paths of 8 hops and send messages frequently, there's a good chance
they'll use the nodes that aren't in both directories, for at least
a few of the messages. How devastating that leak is, I don't know.
But that's exactly the problem -- we don't know.

--Roger