It is a nice surprise to see activity in this area of tor, thank you for working on this.
Option 3 requires regular updates to all the relays in the family, which makes it cumbersome. Its advantage is that if a relay is compromised, you don't need to re-key the family.
Options 1 and 2 are less secure, since you have to re-key your whole family if the key is ever compromised. But they have the advantage that they don't take any maintenance in the regular case.
Option 1 is a little more convenient than option 2, since you can use any old random file. But that makes it more error prone: if somebody chooses an insecure password as their random file, an attacker could guess it and become a family member.
I believe from an operational point of view option 1 and 2 are practically identical since most will simply use the provided tor parameter to generate the secret/key. To prevent weak random file tor could refuse to use files that are shorter than N.
If all three of these options were available, which of these would you choose? Is there anything else that we could do to make this system simpler or easier to use?
If I'm left to my own devices, I will probably just implement option 2 for now, but leave the door open for option 3 in the future.
I was about to suggest to implement option 2 and 3, so it is great to see you are considering both options. This also matches the current possibilities with OfflineMasterKey 0|1.
I believe both options make sence because there are small and large families which have different levels of maturity in their tooling and operations (and different levels of risk). Smaller operators might do everything manually and are happy to use option 2, bigger probably use some form of configuration management like ansible and offlinemasterkeys already, so option 3 would basically come at no additional cost for them because they can renew family certs when they update the other certs in one go. The family certs should support the same ranges as torrc's SigningKeyLifetime.
Since I maintain an ansible tor role that is used by many of the largest families: I'll certainly integrate option 3 in relayor. When compared with option 0 (current MyFamily design) option 2 has weaker properties so I would stay on option 0 until option 3 becomes available.
kind regards, nusenu