[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] A Simple Web of Trust for Tor Relay Operator IDs



I think I have some general questions to begin with:

1) What part should the proposal you brought up play in the overall goal
of limiting impact of malicious relays? You write

"""
Therefore we propose to publish relay operator trust information to
limit the fraction and impact of malicious tor network capacity.
"""

but I don't understand how *publishing* that information is supposed to
limit malicious relays.

you are right, publishing it alone does not change anything it is just the important first step.

I updated the text to make this part clearer
https://github.com/nusenu/tor-relay-operator-ids-trust-information/blob/main/README.md#motivation


So, what is in your opinion the larger picture
here?

It is outlined by Roger here:

    https://gitlab.torproject.org/tpo/network-health/metrics/relay-search/-/issues/40001
    https://lists.torproject.org/pipermail/tor-relays/2020-July/018656.html


It seems to me this is not unimportant and as your proposal is
essentially raising the bar yet again for running relays

This document does not introduce any additional requirements when setting up a tor relay.


https://example.com/.well-known/tor-relay/trust/requirements.txt

This file contains the rules they apply before they add a new entry to
the list of trusted operator IDs in english.

How is that supposed to work in practice? There are some English
sentences saying what the TA thought reasonable as requirements which
means they have to be manually reviewed so one actually understands what
trust in that case means?

That was not fleshed out yet, but I took your feedback to make it a lot simpler:
Now a TA's trust simply means
we assert this operator does run tor relays WITHOUT malicious intent
https://github.com/nusenu/tor-relay-operator-ids-trust-information/blob/main/README.md#trust-anchor-ta

3) I like the whole proposal outline with a threat model, security
considerations and so on. That's really helpful for thinking about this
topic. I wonder whether you think there should actually be a "Network
health considerations" section, too, in your proposal because one could
think it might have potential effects e.g. on relay diversity.

I added a few remarks in the last section
that TA selection will have an impact on "social diversity"


We just wrote a proposal for a sponsor where we have one activity about
creating a database about relays and annotating them with trust
information.

What is your motivation to annotate at the individual relay level instead
of assigning information at the operator level?

E.g. Roger could note all the relay operators he knows and
trusts, the same could Gus do and I and so on.

How you you know whether a relay is operated by some given
entity (at scale)?

However, one risk we
thought worth mentioning to the sponsor was that publishing annotations
aka trust information might alienate relay operators from contributing
to the network as they might feel their contribution is not enough or
not valued enough.

I think that boils down to TA diversity.
You probably want to use more TAs than Roger, Gus and you.
Well regarded organizations like the EFF, CCC, known people at hackerspaces, ...
can probably help you span a global network, but even these are at some level trusted by some
and untrusted by others. If user's get the impression that the tor network is run by
Roger's friends only their perceived risk that they might collude against someone else might increase.

kind regards,
nusenu

--
https://nusenu.github.io
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays