[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r15288: Add the long finished conditional-consensus-download proposa (tor/trunk/doc/spec/proposals)
Author: weasel
Date: 2008-06-15 18:59:54 -0400 (Sun, 15 Jun 2008)
New Revision: 15288
Added:
tor/trunk/doc/spec/proposals/139-conditional-consensus-download.txt
Modified:
tor/trunk/doc/spec/proposals/000-index.txt
Log:
Add the long finished conditional-consensus-download proposal as 139
Modified: tor/trunk/doc/spec/proposals/000-index.txt
===================================================================
--- tor/trunk/doc/spec/proposals/000-index.txt 2008-06-15 22:27:37 UTC (rev 15287)
+++ tor/trunk/doc/spec/proposals/000-index.txt 2008-06-15 22:59:54 UTC (rev 15288)
@@ -61,6 +61,7 @@
136 Mass authority migration with legacy keys [FINISHED]
137 Keep controllers informed as Tor bootstraps [OPEN]
138 Remove routers that are not Running from consensus documents [CLOSED]
+139 Download consensus documents only when it will be trusted [CLOSED]
Proposals by status:
@@ -110,6 +111,7 @@
129 Block Insecure Protocols by Default
130 Version 2 Tor connection protocol
138 Remove routers that are not Running from consensus documents
+ 139 Download consensus documents only when it will be trusted
SUPERSEDED:
112 Bring Back Pathlen Coin Weight
113 Simplifying directory authority administration
Added: tor/trunk/doc/spec/proposals/139-conditional-consensus-download.txt
===================================================================
--- tor/trunk/doc/spec/proposals/139-conditional-consensus-download.txt (rev 0)
+++ tor/trunk/doc/spec/proposals/139-conditional-consensus-download.txt 2008-06-15 22:59:54 UTC (rev 15288)
@@ -0,0 +1,93 @@
+Filename: 139-conditional-consensus-download.txt
+Title: Download consensus documents only when it will be trusted
+Author: Peter Palfrader
+Created: 2008-04-13
+Status: Closed
+
+Overview:
+
+ Servers only provide consensus documents to clients when it is known that
+ the client will trust it.
+
+Motivation:
+
+ When clients[1] want a new network status consensus they request it
+ from a Tor server using the URL path /tor/status-vote/current/consensus.
+ Then after downloading the client checks if this consensus can be
+ trusted. Whether the client trusts the consensus depends on the
+ authorities that the client trusts and how many of those
+ authorities signed the consensus document.
+
+ If the client cannot trust the consensus document it is disregarded
+ and a new download is tried at a later time. Several hundred
+ kilobytes of server bandwidth were wasted by this single client's
+ request.
+
+ With hundreds of thousands of clients this will have undesirable
+ consequences when the list of authorities has changed so much that a
+ large number of established clients no longer can trust any consensus
+ document formed.
+
+Objective:
+
+ The objective of this proposal is to make clients not download
+ consensuses they will not trust.
+
+Proposal:
+
+ The list of authorities that are trusted by a client are encoded in
+ the URL they send to the directory server when requesting a consensus
+ document.
+
+ The directory server then only sends back the consensus when more than
+ half of the authorities listed in the request have signed the
+ consensus. If it is known that the consensus will not be trusted
+ a 404 error code is sent back to the client.
+
+ This proposal does not require directory caches to keep more than one
+ consensus document. This proposal also does not require authorities
+ to verify the signature on the consensus document of authorities they
+ do not recognize.
+
+ The new URL scheme to download a consensus is
+ /tor/status-vote/current/consensus/<F> where F is a list of
+ fingerprints, sorted in ascending order, and concatenated using a +
+ sign.
+
+ Fingerprints are uppercase hexadecimal encodings of the authority
+ identity key's digest. Servers should also accept requests that
+ use lower case or mixed case hexadecimal encodings.
+
+ A .z URL for compressed versions of the consensus will be provided
+ similarly to existing resources and is the URL that usually should
+ be used by clients.
+
+Migration:
+
+ The old location of the consensus should continue to work
+ indefinitely. Not only is it used by old clients, but it is a useful
+ resource for automated tools that do not particularly care which
+ authorities have signed the consensus.
+
+ Authorities that are known to the client a priori by being shipped
+ with the Tor code are assumed to handle this format.
+
+ When downloading a consensus document from caches that do not support this
+ new format they fall back to the old download location.
+
+ Caches support the new format starting with Tor version 0.2.1.1-alpha.
+
+Anonymity Implications:
+
+ By supplying the list of authorities a client trusts to the directory
+ server we leak information (like likely version of Tor client) to the
+ directory server. In the current system we also leak that we are
+ very old - by re-downloading the consensus over and over again, but
+ only when we are so old that we no longer can trust the consensus.
+
+
+
+Footnotes:
+ 1. For the purpose of this proposal a client can be any Tor instance
+ that downloads a consensus document. This includes relays,
+ directory caches as well as end users.