Thanks for the detailed reply, nusenu. Looks like you thought this through really well.
It would be nice if Tor core people would chip in on this as well! @arma, @teor maybe?
See my further comments inline.
On Sun, 2020-07-05 at 22:50 +0200, nusenu wrote:
I believe you can have a valid ContactInfo and privacy.
I do too, but I hope that prospective operators think so as well.
Of course, in your proposal that information would only be shared with the directory authorities
That is not necessarily the case if the ContactInfo field is used without encryption, basically it is not specified yet.
but do we have any numbers on how many relay operators are okay with this?
I can only give you numbers based on the current tor network data (but that is not an answer to your question since it does not reveal anything about the operator's intention)
~71% of tor's guard capacity has a non-empty ContactInfo. About 700 guard relays have no ContactInfo set and are older than 1 month.
~89% of tor's exit capacity has a non-empty ContactInfo. Only about 60 exit relays have no ContactInfo set and are older than 1 month.
Those numbers look encouraging to me. It's good to see that most operators are doing things the right way, i.e. being reachable in case something happens to their relay. Still not 100% though.
The reasoning behind the specific threshold will be covered in more detail in the upcoming blog post.
Now you're making me really curious.
In fact, my initial email went to many operators (after the mailing list was not happy with so many recipients I did resend it to the list without the others in TO, so unfortunately you no longer see the full list of recipients), but yes, that is the point of this email - getting feedback from operators, especially from big ones. I a few replied already.
That's great! Let's see what they think.
It is definitely an interesting idea, one that I have not thought of at least. But I'm not sure if it would be effective at preventing what it tries to prevent.
Yes, that is basically the key question and since there appears to be a lot of money involved in running malicious relays, they certainly have enough money to buy some office services in some random place and get a physical address verified but one of the other factors of the proposal is also the additional time required for an attacker to go trough the process and that it can no longer be automated completely.
It would be very interesting to know who pays for that. If we figure that out, then maybe we can pursuade them to donate that money to the Tor Project instead. \s
Imre