[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.

Roger Dingledine wrote:
On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote:
-------- Original Message --------
Subject: Re: - Medium - Tor servers, Tor community wants to disable your
nodes - General
Date: Mon, 17 May 2010 13:46:04 +0200
From: Perfect Privacy Administration <admin@xxxxxxxxxxxxxxxxxxx>
Organization: PP Internet Services
A proposal to the TOR developers:  I don't know if it's technically
possible, but maybe one could introduce a "BelongingToFamily" entry or a
similarly named command in future versions of TOR which could work as
such, as that every server which contains the same "BelongingToFamily"
entry (e.g. "BelongingToFamily xyz") belongs to the family "xyz".

That way one wouldn't have to enumerate all server names in the
"MyFamily" section of each and every individual torrc file what causes
an enormous effort if one adds a lot of servers (and donates a lot of
traffic) to the Tor network.  As mentioned, we currently would have to
edit 45+ torrc files on 45+ TOR servers whenever a server is added or
removed, and the number of our servers is constantly increasing.

The trouble here is that if we make family declarations one-sided, then
I can tell everybody that I'm in blutmagie's family (and X's family and
Y's family and Z's family and ...), and suddenly I'm influencing the
path selection of other clients in a way I shouldn't be able to.

We need to have each set of relays in a family declare the others,
or it's open to attacks like this.

In situations like Perfect Privacy's where there are a significant
number of nodes that are dynamically changing. which all need to be in
one family, the basic proposal seems useful enough that I wonder if it
can be rehabilitated to take care of the concerns Roger just expressed.
So let me just float an idea here that maybe others can
flesh-out/simplify/correct ...

What if families could be "declared" by giving them a name (say XYZ123)
and publishing a public key for them.  Then to add a node to the family,
the server operator would issue a BelongToFamily XYZ123 declaration that
is somehow signed by the corresponding private key.  If the details can
be worked out correctly, then only the person/organization with access
to the private key can add servers to that family. I think  that would
take care of Roger' concern about relay operators adding their server to
others' families.  If this is too much information to reasonably contain
in a torrc file, then perhaps it could be included in a separate file.
Either one the Tor client automatically looks for or one referenced in

Does anything like that seem viable?  Maybe the developers can comment
about the doability and whether it addresses all of the security
concerns?    And maybe Perfect Privacy can somehow be pulled into the
conversation to see if such a thing would be useful for people in their


P.S. The above was written while off-line. After seeing the newer posts, I realize my proposal might essentially be the same as The23rdRaccoon's. I am not sure. But I don't remember seeing anything about using a signature to limit who could add themselves to a family in Bruce's original proposal.
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/