commit f9ce33d250dc807f2126f325ed63e6c5893db80d Author: Nick Mathewson nickm@torproject.org Date: Tue Feb 22 17:00:45 2011 -0500
Add proposal 178-param-voting.txt from Sebastian --- proposals/000-index.txt | 2 + proposals/178-param-voting.txt | 85 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 0 deletions(-)
diff --git a/proposals/000-index.txt b/proposals/000-index.txt index 580ce36..ebeeb90 100644 --- a/proposals/000-index.txt +++ b/proposals/000-index.txt @@ -98,6 +98,7 @@ Proposals by number: 175 Automatically promoting Tor clients to nodes [DRAFT] 176 Proposed version-3 link handshake for Tor [DRAFT] 177 Abstaining from votes on individual flags [DRAFT] +178 Require majority of authorities to vote for consensus parameters [DRAFT]
Proposals by status: @@ -113,6 +114,7 @@ Proposals by status: 175 Automatically promoting Tor clients to nodes 176 Proposed version-3 link handshake for Tor [for 0.2.3] 177 Abstaining from votes on individual flags + 178 Require majority of authorities to vote for consensus parameters NEEDS-REVISION: 131 Help users to verify they are using Tor OPEN: diff --git a/proposals/178-param-voting.txt b/proposals/178-param-voting.txt new file mode 100644 index 0000000..ff3d055 --- /dev/null +++ b/proposals/178-param-voting.txt @@ -0,0 +1,85 @@ +Filename: 178-param-voting.txt +Title: Require majority of authorities to vote for consensus parameters +Author: Sebastian Hahn +Created: 16-Feb-2011 +Status: Draft + +Overview: + +The consensus that the directory authorities create may contain one or +more parameters (32-bit signed integers) that influence the behavior +of Tor nodes (see proposal 167, "Vote on network parameters in +consensus" for more details). + +Currently (as of consensus method 11), a consensus will end up +containing a parameter if at least one directory authority votes for +that paramater. The value of the parameter will be the low-median of +all the votes for this parameter. + +This proposal aims at changing this voting process to be more secure +against tampering by a non-majority of directory authorities. + +Motivation: + +To prevent a minority of the directory authorities from influencing +the value of a parameter unduly, the majority of directory authorities +has to vote for that parameter. This is not currently happening, and +it was in fact not uncommon for a single authority to govern the value +of a consensus parameter. + +Design: + +When the consensus is generated, the directory authorities ensure that +a param is only included in the list of params if at least half of the +total number of authorities votes for that param. The value chosen is +the low-median of all the votes. We don't mandate that the authorities +have to vote on exactly the same value for it to be included because +some consensus parameters could be the result of active measurements +that individual authorities make. + +Security implications: + +This change is aimed at improving the security of Tor nodes against +attacks carried out by a minority of directory authorities. It is +possible that a consensus parameter that would be helpful to the +network is not included because not enough directory authorities +voted for it, but since clients are required to have sane defaults +in case the parameter is absent this does not carry a security risk. + +Specification: + +dir-spec section 3.4 currently says: + + Entries are given on the "params" line for every keyword on which any + authority voted. The values given are the low-median of all votes on + that keyword. + +It is proposed that the above is changed to: + + Entries are given on the "params" line for every keyword on which a + majority of authorities (total authorities, not just those + participating this vote) voted on. The values given are the + low-median of all votes on that keyword. XXX note previous behaviour. + +The following should be added to the bottom of section 3.4.: + + * If consensus method 12 or later is used, only consensus + parameters that more than half of the total number of + authorities voted for are included in the consensus. + +The following line should be added to the bottom of section 3.4.1.: + + "12" -- Params are only included if a majority voted for them + +Compatibility: + +A sufficient number of directory authorities must upgrade to the new +consensus method used to calculate the params in the way this proposal +calls for, otherwise the old mechanism is used. Nodes that do not act +as directory authorities do not need to be upgraded and should +experience no change in behaviour. + +Implementation: + +An example implementation of this feature can be found in +https://gitweb.torproject.org/sebastian/tor.git, branch safer_params.