Thus spake Mike Perry (mikeperry@torproject.org):
You're failing to see the distinction made between adversaries, which was the entire point of the motivating section of the document. Rekeying *will* thwart some adversaries.
I suspect getting the keys through either mechanism might be trivial compared to getting the infrastructure in place to use the keys for a non-theoretical attack that is cost-effective.
The infrastructure is already there for other reasons. See for example, the CALEA broadband intercept enhancements of 2007 in the USA. Those can absolutely be used to target specific Tor users and completely transparently deanonymize their Tor traffic today, with one-time key theft (via NSL subpoena) of Guard node keys.
Btw, before the above causes someone to jot "Enemy Combatant" down in a file somewhere, I just want to clarify that I believe "lawful intercept" is a total sham, dangerously weakening critical infrastructure for little gain. Once deployed (too late!), it can and will be exploited by a wide variety of actors (too late!).
Also, replace "NSL subpoena" with "any variety of intimidating thugs with guns (and/or money)". They're pretty much the same level of "due process" IMO.
Further, I think we can expect many/most relay operators to run straight to the EFF/ACLU/FBI in the event of coercion (destination depends on adversary). However, I do *not* believe we can expect the same from arbitrary datacenter admins. Hence, I feel that one-time key theft is a valid and realistic adversary, given current weaknesses in the Tor protocol and client software.