On Sun, Jul 26, 2015 at 08:41:13AM +0000, Yawning Angel wrote:
On Sun, 26 Jul 2015 07:13:44 +0500 Roman Mamedov rm@romanrm.net wrote:
Either way you won't do much damage even if any of this ends up being false, as the consensus weight and the stable status will drop more rapidly than they are gathered if your node can't maintain them.
Giving away the identity keys for high capacity relays that actual users are using as Guards seems irresponsible at best, and downright malicious assuming a realistic threat model for the Tor Network as a whole.
I've been following this thread but haven't had time (and won't for several days at least) to formulate a thorough thoughtful response, but your statements are too absolute and without qualification.
I'm not saying that specifically the intended actions (whatever they may be) in this case are reasonable. I am saying that your responses are too broad.
Let's assume purely for simplicity that the transfer can be done in a secure fashion. Then if, for example, someone transferred keys to long-known trusted persons w/in the Tor community (say some of the dir-auths and others at similar levels of trust) in a way that (a) actually diminished the network concentration of trust among people by spreading his family to others where the result is more flat, and (b) paid attention to AS, country (by Geo-IP), etc. so that neither AS nor country changed. This should probably be fine.
(I actually don't think (b) is needed if this is a relatively rare occurrence. Given other aspects of network churn and the very limited way that Tor currently manages location awareness, that is not the low-hanging fruit.)
There are probably other scenarios where this would be an OK action. And it's not just a security/performance trade-off. Having those relays just disappear reduces the diversity and capacity of the network, which has security implications too. Here is another example wrt another factor. (If I'm going on too long here and losing you, skip the rest of this paragraph.) Someone could be maintaining several relays reasonably well but realize that their ability to securely maintain them is going to diminish slightly for some reason, still probably keeping them among the upper half of relays wrt security practice and circumstance. However, they realize that they can securely transfer authority over those relays to people who are both more trusted/reputed w/in the Tor community and in a better position to maintain their security going forward. In that case, they would be improving the security of the network by (securely) handing over the private keys than by continuing to maintain the relays themselves.
It is fine to note that this is something that could only make sense if done carefully. But claiming that the transfer of authority over private keys from on person to another must always be irresponsible diminishes the value of your primary point by overstating the argument.
aloha, Paul