On Mon, 27 Jul 2015 11:14:00 -0400 Paul Syverson paul.syverson@nrl.navy.mil wrote:
I've been following this thread but haven't had time (and won't for several days at least) to formulate a thorough thoughtful response, but your statements are too absolute and without qualification.
I used strong wording because there's a lot of thought/vetting that should go into doing something like this safely, though in hindsight, it probably was overly strong. That said....
[snip]
Let's assume purely for simplicity that the transfer can be done in a secure fashion. Then if, for example, someone transferred keys to long-known trusted persons w/in the Tor community (say some of the dir-auths and others at similar levels of trust) in a way that (a) actually diminished the network concentration of trust among people by spreading his family to others where the result is more flat, and (b) paid attention to AS, country (by Geo-IP), etc. so that neither AS nor country changed. This should probably be fine.
I think the trust component here is the biggest thing to worry about.
[snip]
There are probably other scenarios where this would be an OK action. And it's not just a security/performance trade-off. Having those relays just disappear reduces the diversity and capacity of the network, which has security implications too.
But by design:
a) The relays will move network location (unless the new operator picks the same data centers) therefore, the consensus weight should be re-measured.
(To the peanut gallery, yes know the bwauths are held together by ducttape, string, chewing gum, and occult animal sacrifices. We're currently migrating from chicken based rituals to goat based ones, and "assuming the bwauths work" is probably about as reasonable as "assume enough vetting" or "assume secure key transfer".)
If "b" from your list is done, then this can be skipped.
b) The operator has changed (the network/code itself doesn't and can't realistically know how much vetting the new operator has had), therefore, it flags should be treated as if the relay was brand new.
If there was a way to objectively quantify trust, then I can see short-circuiting the various flag assignment delays, but, that appears to be an open research problem.
Essentially, if the person running them changes, and the network location changes (possibly for the better, diversity is good after all), what's the difference between someone just spinning up new replacement high capacity relays that isn't ("if the person is 'trusted enough *waves hand*', it's sort of ok to bypass delays in letting the relays do certain things that are added for security reasons").
Here is another example wrt another factor. (If I'm going on too long here and losing you, skip the rest of this paragraph.) Someone could be maintaining several relays reasonably well but realize that their ability to securely maintain them is going to diminish slightly for some reason, still probably keeping them among the upper half of relays wrt security practice and circumstance. However, they realize that they can securely transfer authority over those relays to people who are both more trusted/reputed w/in the Tor community and in a better position to maintain their security going forward. In that case, they would be improving the security of the network by (securely) handing over the private keys than by continuing to maintain the relays themselves.
Sure. I can see this as well, though I think the same counterargument applies.
It is fine to note that this is something that could only make sense if done carefully. But claiming that the transfer of authority over private keys from on person to another must always be irresponsible diminishes the value of your primary point by overstating the argument.
I'm not totally convinced, but I don't run a DirAuth, and it's up to each DirAuth operator on what to do.
Apart from a short term decrease in network capacity/diversity, I see spinning up new relays as an equally good alternative here (with enough prior notice to teardown, even the current bwauths will get around to measuring things, assuming the chicken entrails are spread correctly), without all the tricky issues of secure data transfer and "trust".
Paranoid regards,