On Mon, May 2, 2011 at 5:23 AM, Sebastian Hahn hahn.seb@web.de wrote:
On Mar 2, 2011, at 8:06 AM, Nick Mathewson wrote:
On Tue, Feb 22, 2011 at 1:34 AM, Sebastian Hahn hahn.seb@web.de wrote:
Design:
When the consensus is generated, the directory authorities ensure that a param is only included in the list of params if at least half of the total number of authorities votes for that param. The value chosen is the low-median of all the votes. We don't mandate that the authorities have to vote on exactly the same value for it to be included because some consensus parameters could be the result of active measurements that individual authorities make.
This is possibly bikeshed, but I would suggest that instead of requiring half of existing authorities to vote on a particular parameter, we require 3 or more to vote on it. (As a degenerate case, fall back to "at least half" if there are fewer than 6 authorities in the clique.)
Hrm. I'm not too happy with this,
My rationale was that in practice, it's a pain in practice to try to get more than 3 or so authority operators to try out an experimental parameter in a timely basis. If the set of authority operators ever grows, getting half of the ops to tweak a parameter in a hurry will get even harder.
unless we also include a way for a majority of authorities to prevent voting on that parameter altogether.
What if we say that as a matter of design, there should always be, for each parameter, a value that's semantically equivalent to the absence of the parameter? That way a majority of authorities can "turn off" any parameter without any additional machinery during the vote.