Roger Dingledine wrote:
On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote:-------- Original Message -------- Subject: Re: - Medium - Tor servers, Tor community wants to disable your nodes - General Date: Mon, 17 May 2010 13:46:04 +0200 From: Perfect Privacy Administration <admin@xxxxxxxxxxxxxxxxxxx> Organization: PP Internet Services[snip]A proposal to the TOR developers: I don't know if it's technically possible, but maybe one could introduce a "BelongingToFamily" entry or a similarly named command in future versions of TOR which could work as such, as that every server which contains the same "BelongingToFamily" entry (e.g. "BelongingToFamily xyz") belongs to the family "xyz". That way one wouldn't have to enumerate all server names in the "MyFamily" section of each and every individual torrc file what causes an enormous effort if one adds a lot of servers (and donates a lot of traffic) to the Tor network. As mentioned, we currently would have to edit 45+ torrc files on 45+ TOR servers whenever a server is added or removed, and the number of our servers is constantly increasing.The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. We need to have each set of relays in a family declare the others, or it's open to attacks like this.
In situations like Perfect Privacy's where there are a significant number of nodes that are dynamically changing. which all need to be in one family, the basic proposal seems useful enough that I wonder if it can be rehabilitated to take care of the concerns Roger just expressed. So let me just float an idea here that maybe others can flesh-out/simplify/correct ... What if families could be "declared" by giving them a name (say XYZ123) and publishing a public key for them. Then to add a node to the family, the server operator would issue a BelongToFamily XYZ123 declaration that is somehow signed by the corresponding private key. If the details can be worked out correctly, then only the person/organization with access to the private key can add servers to that family. I think that would take care of Roger' concern about relay operators adding their server to others' families. If this is too much information to reasonably contain in a torrc file, then perhaps it could be included in a separate file. Either one the Tor client automatically looks for or one referenced in torrc. Does anything like that seem viable? Maybe the developers can comment about the doability and whether it addresses all of the security concerns? And maybe Perfect Privacy can somehow be pulled into the conversation to see if such a thing would be useful for people in their situation. JimP.S. The above was written while off-line. After seeing the newer posts, I realize my proposal might essentially be the same as The23rdRaccoon's. I am not sure. But I don't remember seeing anything about using a signature to limit who could add themselves to a family in Bruce's original proposal.
*********************************************************************** To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/