On Sun, Dec 22, 2013 at 4:07 AM, Karsten Loesing karsten@torproject.org wrote: [...]
Hi Nick,
I'm probably missing something important here, but I don't know what.
Right now, if a directory authority learns from the votes that more than 2/3 of authorities support a consensus method higher that it can support itself, it falls back to consensus method 1. That authority then produces a consensus that won't have enough signatures for any client to use it, so it's useless.
The proposal suggests that this authority produces a consensus using a higher method than 1, but still lower than what the other authorities are going to produce. But this consensus will still not contain enough signatures.
What's the point?
The last paragraph in the proposal makes most sense to me:
We might want to have the behavior when we see that everybody else will be using a method we don't support be "Don't make a consensus at all." That's harder to program, though.
Can you say why this solution is harder to program? It seems like the cleaner design.
The issue is that right now, I think the consensus code in Tor doesn't have a "don't publish a consensus" case.
But even if it's too difficult to program (or would likely add new bugs), why not keep the fall-back-to-method-1 workaround? Does it cause any harm?
So IIRC there are two important ideas in proposal 215.
* One is to define a new minimum consensus method which everybody must support.
* The other is to eventually drop support for earlier consensus methods.
Note that the change to the fallback behavior when we can't support the chosen consensus method isn't one of the two important changes. It's a side-effect of dropping support for ancient consensus methods. So my reasoning for not retaining the "fall back to method 1" logic is that eventually I would like Tor not to *have* any method-1 code left in it, since we should never use it.