[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [torspec/master] Update prop 178 to reflect tor-dev discussion
commit db9a429d005ae05ad0841e6026941594d5740b0b
Author: Sebastian Hahn <sebastian@xxxxxxxxxxxxxx>
Date: Fri Nov 25 19:05:53 2011 +0100
Update prop 178 to reflect tor-dev discussion
---
proposals/178-param-voting.txt | 42 ++++++++++++++++++++++++---------------
1 files changed, 26 insertions(+), 16 deletions(-)
diff --git a/proposals/178-param-voting.txt b/proposals/178-param-voting.txt
index 8c38708..df68ad4 100644
--- a/proposals/178-param-voting.txt
+++ b/proposals/178-param-voting.txt
@@ -18,35 +18,44 @@ that paramater. The value of the parameter will be the low-median of
all the votes for this parameter.
This proposal aims at changing this voting process to be more secure
-against tampering by a non-majority of directory authorities.
+against tampering by a small fraction of directory authorities.
Motivation:
-To prevent a minority of the directory authorities from influencing
-the value of a parameter unduly, the majority of directory authorities
-has to vote for that parameter. This is not currently happening, and
-it was in fact not uncommon for a single authority to govern the value
-of a consensus parameter.
+To prevent a small fraction of the directory authorities from
+influencing the value of a parameter unduly, a big enough fraction
+of all directory authorities authorities has to vote for that
+parameter. This is not currently happening, and it is in fact not
+uncommon for a single authority to govern the value of a consensus
+parameter.
Design:
When the consensus is generated, the directory authorities ensure that
-a param is only included in the list of params if at least half of the
-total number of authorities votes for that param. The value chosen is
-the low-median of all the votes. We don't mandate that the authorities
-have to vote on exactly the same value for it to be included because
-some consensus parameters could be the result of active measurements
-that individual authorities make.
+a param is only included in the list of params if at least three of the
+authorities (or a simple majority, whichever is the smaller number)
+votes for that param. The value chosen is the low-median of all the
+votes. We don't mandate that the authorities have to vote on exactly
+the same value for it to be included because some consensus parameters
+could be the result of active measurements that individual authorities
+make.
Security implications:
This change is aimed at improving the security of Tor nodes against
-attacks carried out by a minority of directory authorities. It is
-possible that a consensus parameter that would be helpful to the
+attacks carried out by a small fraction of directory authorities. It
+is possible that a consensus parameter that would be helpful to the
network is not included because not enough directory authorities
voted for it, but since clients are required to have sane defaults
in case the parameter is absent this does not carry a security risk.
+This proposal makes a security vs coordination effort tradeoff. When
+considering only the security of the design, it would be better to
+require a simple majority of directory authorities to agree on
+voting on a parameter, but it would involve requiring more
+directory authority operators to coordinate their actions to set the
+parameter successfully.
+
Specification:
dir-spec section 3.4 currently says:
@@ -59,7 +68,8 @@ It is proposed that the above is changed to:
Entries are given on the "params" line for every keyword on which a
majority of authorities (total authorities, not just those
- participating this vote) voted on. The values given are the
+ participating in this vote) voted on, or if at least three
+ authorities voted for that parameter. The values given are the
low-median of all votes on that keyword.
Consensus methods 11 and before, entries are given on the "params"
@@ -74,7 +84,7 @@ The following should be added to the bottom of section 3.4.:
The following line should be added to the bottom of section 3.4.1.:
- "12" -- Params are only included if a majority voted for them
+ "12" -- Params are only included if a enough auths voted for them
Compatibility:
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits