This makes me wonder: Would it be helpful to start compiling a big list of things which could go wrong with a Tor implementation without making it obviously broken? I think a checklist like that might help people working on compatible implementations to have some idea what to look for once you have something that interoperates. Would you have found that useful? Would you find that useful now?

Yes, for sure.

I would have found that very useful because the delta between a working implementation and a secure implementation is quite large and a checklist would allow me to go down the list and at least *know* that I'm missing things. Some of these details may even be underspecified and there would be no easy way for me to find out about them.

--brl