[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Giving away some "pre-warmed" relay keys for adoption



On Mon, 27 Jul 2015 11:14:00 -0400
Paul Syverson <paul.syverson@xxxxxxxxxxxx> wrote:
> I've been following this thread but haven't had time (and won't for
> several days at least) to formulate a thorough thoughtful response,
> but your statements are too absolute and without qualification.

I used strong wording because there's a lot of thought/vetting that
should go into doing something like this safely, though in hindsight,
it probably was overly strong.  That said....

[snip]
> Let's assume purely for simplicity that the transfer can be done in a
> secure fashion. Then if, for example, someone transferred keys to
> long-known trusted persons w/in the Tor community (say some of the
> dir-auths and others at similar levels of trust) in a way that 
> (a) actually diminished the network concentration of trust among
> people by spreading his family to others where the result is more
> flat, and (b) paid attention to AS, country (by Geo-IP), etc. so that
> neither AS nor country changed. This should probably be fine.

I think the trust component here is the biggest thing to worry about.

[snip]
> There are probably other scenarios where this would be an OK action.
> And it's not just a security/performance trade-off. Having those
> relays just disappear reduces the diversity and capacity of the
> network, which has security implications too.

But by design:

 a) The relays will move network location (unless the new operator picks
    the same data centers) therefore, the consensus weight should be
    re-measured.

    (To the peanut gallery, yes know the bwauths are held together by
     ducttape, string, chewing gum, and occult animal sacrifices.
     We're currently migrating from chicken based rituals to goat based
     ones, and "assuming the bwauths work" is probably about as
     reasonable as "assume enough vetting" or "assume secure key
     transfer".)

    If "b" from your list is done, then this can be skipped.

 b) The operator has changed (the network/code itself doesn't and can't
    realistically know how much vetting the new operator has had),
    therefore, it flags should be treated as if the relay was brand new.

If there was a way to objectively quantify trust, then I can see
short-circuiting the various flag assignment delays, but, that
appears to be an open research problem.

Essentially, if the person running them changes, and the network
location changes (possibly for the better, diversity is good after
all), what's the difference between someone just spinning up new
replacement high capacity relays that isn't ("if the person is 'trusted
enough *waves hand*', it's sort of ok to bypass delays in letting the
relays do certain things that are added for security reasons").

> Here is another example wrt another factor.  (If I'm going on too long
> here and losing you, skip the rest of this paragraph.) Someone could
> be maintaining several relays reasonably well but realize that their
> ability to securely maintain them is going to diminish slightly for
> some reason, still probably keeping them among the upper half of
> relays wrt security practice and circumstance. However, they realize
> that they can securely transfer authority over those relays to people
> who are both more trusted/reputed w/in the Tor community and in a
> better position to maintain their security going forward.  In that
> case, they would be improving the security of the network by
> (securely) handing over the private keys than by continuing to
> maintain the relays themselves.

Sure.  I can see this as well, though I think the same counterargument
applies.

> It is fine to note that this is something that could only make sense
> if done carefully. But claiming that the transfer of authority over
> private keys from on person to another must always be irresponsible
> diminishes the value of your primary point by overstating the
> argument.

I'm not totally convinced, but I don't run a DirAuth, and it's up to
each DirAuth operator on what to do.

Apart from a short term decrease in network capacity/diversity, I see
spinning up new relays as an equally good alternative here (with enough
prior notice to teardown, even the current bwauths will get around to
measuring things, assuming the chicken entrails are spread correctly),
without all the tricky issues of secure data transfer and "trust".

Paranoid regards,

-- 
Yawning Angel

Attachment: pgpA0VWiIIh58.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays