[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: jurisdictional concentration of authorities



     On Mon, 22 Jun 2009 01:22:30 -0400 Roger Dingledine <arma@xxxxxxx>
>On Sun, Jun 21, 2009 at 09:43:51PM -0500, Scott Bennett wrote:
>>      Perhaps it may be time to revisit an old discussion here with the
>> developers.  At present, just seven directory authorities are listed in the
>> directory.
>
>Actually, only five v3 authorities are up right now. The sixth
>(dannenberg) appears down.
>
>The others you're seeing are moria2 (v1 and v2 authority, but not v3),
>and Tonga (bridge authority).
>
>>  Three of these fall within the jurisdiction of the United States,
>> and the remainder fall within the jurisdiction of the European Union.
>
>Yep. Of the current 6 v3 authorities, there are:
>moria1 (US)
>ides (US)
>tor26 (Austria)
>gabelmoo (Germany)
>dizum (Netherlands)
>dannenberg (Germany)
>
>We're planning to add a seventh soon (lostinthenoise, US). But it's
>currently a real pain to add an authority; see proposal 165 for details.

     Where would I find that, please?  The only pointer I have at present
for the proposals is

	http://www.torproject.org/svn/trunk/doc/spec/proposals/

which stops at 159, so I gather the above is no longer the right place to
look for proposals.
>
>See also
>https://git.torproject.org/checkout/tor/master/doc/contrib/authority-policy.txt
>for more discussion.

     Yes.  That document does note, for example, under the heading of
"Diversity",

	- A small group of authorities with the same country/jurisdiction/OS is
	  not a problem, until that group's size approaches quorum (half the
	  authorities).

The "until" portion seems to apply at present both for the group in the U.S.
and for the group in the E.U.
>
>>  This
>> situation presents a substantial vulnerability to the tor network, IMO,
>> given the degree of cooperation between the two jurisdictions, not to mention
>> the arrangements among the EU's member states and the U.S.
>
>A coordinated DoS of 4 of them might be conceivable. If it happens,
>we'll learn from that and adapt.
>
>Installing backdoors on 4 of them and then keeping them up seems much
>harder.
>
>>      Are we now at an appropriate stage such that the developers could
>> entertain the idea of discreetly soliciting a few more potential authority
>> sites and operators in other jurisdictions?  I submit, for examples, that
>> Brazil, Japan, and probably the Union of South Africa may have adequately
>> fast and reliable Internet infrastructures that such sites might be available
>> in those jurisdictions.
>
>We're happy to add more authorities, once we get proposal 165 in. We
>totally should.
>
>The limiting factor in these countries you name is trustworthy dedicated
>competent humans who also have good Internet providers. Without actual
>people we know and trust, it doesn't really seem like a good move.
>
     This is why I was suggesting that you and the other core developers
pursue the matter discreetly (i.e., behind the scenes) to get someone with
the right setup and whom you trust, as opposed to advertising somewhere like
this list.  At least some of you travel to conferences of various sorts where
you are likely to encounter other dedicated tor enthusiasts.  I don't know
how long you want to have known them or how closely or whether some might
have some professional reputations that would engender your trust, but
somehow authority operators in more parts of the world must be found.
     The countries I listed were just an attempt to pick countries that,
AFAIK, do have the necessary infrastructure in at least some of their cities
and do not have terribly close political/administrative ties to either the
U.S. or the E.U.  I did not mean to limit the opportunities to that list
of countries at all, but I do think it would be a good idea, given the current
political climates in the U.S. and the E.U. to move away quickly from having
all of the authorities vulnerable to those governments.
     A corollary is that it would seem a poor idea to add any new authorities
in either the U.S. or the E.U. until enough new authorities elsewhere have
been added that new authorities in the U.S. or the E.U. would not cause their
respective groups to reach the condition I cited above from the document on
authorities that you referred to.  If there are currently only two V3
authorities in the U.S., for example, then adding "lostinthenoise" would
"approach quorum (half the authorities)" without fixing the existing problem
that the E.U. authorities already exceed half.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************