1. Why?
Automating the MyFamily is more work than it is worth. I'm all for making it easy to declare myfamily, however I am not sure a URI with a list of fingerprints is a better alternative. This introduces potential operating system, TLS, and web server vulnerabilities into the equation, versus updating a text file with fingerprints.
As an aside, my employer is a global datacenter provider and could run tens of thousands of relays overnight, but the aforementioned MyFamily management is not worth the effort. Therefore, we do not run relays, to the detriment of the tor network and users.
2. How much of a problem is this really?
Are there massive fake relay families? It seems the problem is really about "cyber security" snakeoil companies running a handful of relays without setting MyFamily. Just detect and block them.
3. Questionable ethics?
I find it questionable that you reference a tor-dev 'thread", which is simply just your post, https://lists.torproject.org/pipermail/tor-dev/2020-July/014401.html. You then post to tor-relays referencing the tor-dev thread, as if this is some canonical, authoritative resource. You did this again in the submission to IANA. M. Nottingham correctly calls it out by asking for a formal tor response/submission.
Further verifying relay operators is a slippery slope to slide down. We already get enough visits from the police forces for running bridges and relays. Making it really easy to verify and authenticate that a relay operator does run a relay or set of relays will not be more beneficial.
Jonas
---------- Original Message ---------- On Sat, August 1, 2020 at 6:29:46 AM nusenu-lists@riseup.net wrote: Hi,
as already sent to the tor-dev mailing list a week ago I planning to submit a well-known URI registration ( https://tools.ietf.org/html/rfc8615 ) so the verifyurl is at a static place and no longer needs to be specified explicitly.
Please let me know if you have any comments.
https://nusenu.github.io/tor-relay-well-known-uri-spec/
kind regards, nusenu