Proposal 165: Easy migration for voting authority sets

Nick Mathewson nickm at torproject.org
Thu May 28 22:00:15 UTC 2009 

On Thu, May 28, 2009 at 05:02:09PM -0400, Paul Syverson wrote:
> On Thu, May 28, 2009 at 04:23:57PM -0400, Nick Mathewson wrote:
> > On Thu, May 28, 2009 at 03:58:42PM -0400, Paul Syverson wrote:
> > > Hi Nick et al.,
> > > 
> > > Two things:
> > > 
> > > 1. I think you mean that an authority votes with whatever the largest
> > > set is that it lists that is listed by the most members of that set. 
> > > (I added "largest" to your criterion.)
> > > 
> > > I guess there is an ambiguity of 'most' but if you have a set and a
> > > proper subset, both of which are listed by all the members of each,
> > > then the ones in the smaller set have no basis to prefer the larger
> > > one and will never drop the smaller one. If by 'most' you implicitly
> > > mean biggest rather than largest fraction, it is confusing since
> > > it is no longer relative to the givne voting set but relative to
> > > others.
> > 
> > Okay, I'll try again.  What I meant is that, given two sets S1 and S2 that an
> > authority lists, that authority will prefer S1 over S2 whenever the
> > number of other authorities in S1 that themselves list S1 is higher
> > than the number of other authorities in S2 that themselves list S2.
> > 
> 
> Much clearer, at least to me.

Okay.  Next time I revise this proposal, I'll put it in.

[...]
> > Here you're missing the line that says
> > 
> >    Once enough authorities list the new set as acceptable, we start
> >    having authorities stop listing the old set.  Once there are more
> >    listing the new set than the old set, the new set will win.
> > 
> > In other words, once the operators notice that enough authorities are
> > listing the set-minus-Bob, they manually stop listing
> > sets-including-Bob.  Assuming that there are N authorities (including
> > Bob), once N-1 authorities list the set without Bob, we need just 2
> > authorities to drop the set including Bob and we'll be fine.
> > 
> 
> I didn't miss the line. My point is that you won't ever get
> any honest authorities to drop the set including Bob, so you will
> never make it to 2 without changing something in the protocol.
> if either of those two authorities drop the list that includes Bob,
> they will not be honest (following the proposed protocol), because
> they are supposed to prefer the voting set for which the number of
> authorities that list themselves in it is higher not just the
> one that is moving in the direction they would like to go.
> It's the criterion for delisting a set that does not work.

Oh!  Okay, no, I've explained the protocol wrong.

When I say that authorities prefer the more-approved set, that _only
applies to choosing who the voters are in a given round of voting_.
It doesn't apply to deciding which sets to list in a vote.

Deciding which sets to list is a manual decision made by the authority
operators.  My intent was that the operator of an honest is absolutely
allowed to de-list an obsolete but larger set.  Authority operators
need to coordinate their actions here out-of-band.

Did that clear it up?

peace,
-- 
Nick

More information about the tor-dev mailing list