Proposal 165: Easy migration for voting authority sets

Paul Syverson syverson at itd.nrl.navy.mil
Fri May 29 02:21:54 UTC 2009 

On Thu, May 28, 2009 at 06:00:15PM -0400, Nick Mathewson wrote:
> On Thu, May 28, 2009 at 05:02:09PM -0400, Paul Syverson wrote:
> > On Thu, May 28, 2009 at 04:23:57PM -0400, Nick Mathewson wrote:
> > > On Thu, May 28, 2009 at 03:58:42PM -0400, Paul Syverson wrote:
> > > > Hi Nick et al.,
> > > > > 
> [...]
> > > Here you're missing the line that says
> > > 
> > >    Once enough authorities list the new set as acceptable, we start
> > >    having authorities stop listing the old set.  Once there are more
> > >    listing the new set than the old set, the new set will win.
> > > 
> > > In other words, once the operators notice that enough authorities are
> > > listing the set-minus-Bob, they manually stop listing
> > > sets-including-Bob.  Assuming that there are N authorities (including
> > > Bob), once N-1 authorities list the set without Bob, we need just 2
> > > authorities to drop the set including Bob and we'll be fine.
> > > 
> > 
> > I didn't miss the line. My point is that you won't ever get
> > any honest authorities to drop the set including Bob, so you will
> > never make it to 2 without changing something in the protocol.
> > if either of those two authorities drop the list that includes Bob,
> > they will not be honest (following the proposed protocol), because
> > they are supposed to prefer the voting set for which the number of
> > authorities that list themselves in it is higher not just the
> > one that is moving in the direction they would like to go.
> > It's the criterion for delisting a set that does not work.
> 
> Oh!  Okay, no, I've explained the protocol wrong.
> 
> When I say that authorities prefer the more-approved set, that _only
> applies to choosing who the voters are in a given round of voting_.
> It doesn't apply to deciding which sets to list in a vote.
> 
> Deciding which sets to list is a manual decision made by the authority
> operators.  My intent was that the operator of an honest is absolutely
> allowed to de-list an obsolete but larger set.  Authority operators
> need to coordinate their actions here out-of-band.
> 
> Did that clear it up?
> 

Yes and no. That's fine, but if they can coordinate on who is
an authority out-of-band, why is this protocol needed?

If by "coordinate their actions here out-of-band" you just meant
that they would agree the plan is to, e.g., drop Bob or, e.g., add
Charlie to the existing set once sufficient agreement has percolated
through, then we are in complete agreement except that I think
this should be explicitly included in the protocol to avoid confusion.

> peace,

et cum spiritu tuo

(Won't you eat my sleazy pancakes just for Saintly Alphonzo)

-Paul

More information about the tor-dev mailing list