On Sun, 26 Jul 2015 07:13:44 +0500 Roman Mamedov rm@romanrm.net wrote:
Either way you won't do much damage even if any of this ends up being false, as the consensus weight and the stable status will drop more rapidly than they are gathered if your node can't maintain them.
Giving away the identity keys for high capacity relays that actual users are using as Guards seems irresponsible at best, and downright malicious assuming a realistic threat model for the Tor Network as a whole.
Yes, in an ideal world the bwauths will scan new relays faster.
Meanwhile in reality the outcome is often [1].
Orthogonal problem, and it's being worked on under an OTF Fellowship.
A fun task for someone who likes messing with consensus documents and descriptors would be to write a script to measure IP address churn for relays while the relay identity remains constant (either legitimately eg: being on a dynamic IP, person had to move the rack the relay was on, or through key compromise/derp).
I do this extensively on my relays, as one VPS or dedicated server expires, gets terminated or canceled for various reasons, a different one takes its place, inheriting the same identity. If I had to always wait for new relays to spin up from scratch in each case, a lot of the time I probably wouldn't even bother.
While the bwauth delay is unfortunate (which is why it's being worked on), the delay in assigning Stable/Guard and HSDir are for user safety.
I'm somewhat torn on the whole key pinning thing, because I think an individual operator moving their relay around is sort of ok (though in an ideal world the consensus weight should get reset and rapidly re-measured), but giving away the private component of a relay's identity key is putting users at risk, and is behavior that should be discouraged if not outright prohibited if possible (and key pinning would be a heavy handed way to rule out this sort of stupidity).
I personally care less about the absolute size of the Tor network, and if it's a choice between user's Guards changing ownership, and a smaller Tor network I will pick the latter every single time.
Running 20 relays in a declared family at the moment, together comprising about 1.8% of aggregate Tor bandwidth, however due to financial reasons I will have to shut down most of these over the coming weeks and months; so I see little difference if the next machine inheriting a particular identity this time will be managed and paid for by someone else and not by me. Just throwing these away seemed like a waste.
If I have to write a script to figure out the fingerprints of your relays just to keep users safe I will. I have 3 million other things I rather be doing, but keeping the user safe from the bad guys (no matter how good their intentions) is the most important thing I could be doing.
Regards,