[tor-relays] Giving away some "pre-warmed" relay keys for adoption

Mon Jul 27 15:14:00 UTC 2015

On Sun, Jul 26, 2015 at 08:41:13AM +0000, Yawning Angel wrote:
> On Sun, 26 Jul 2015 07:13:44 +0500
> Roman Mamedov <rm at romanrm.net> wrote:
> > Either way you won't do much damage even if any of this ends up being
> > false, as the consensus weight and the stable status will drop more
> > rapidly than they are gathered if your node can't maintain them.
> 
> Giving away the identity keys for high capacity relays that actual
> users are using as Guards seems irresponsible at best, and downright
> malicious assuming a realistic threat model for the Tor Network as a
> whole.
> 

I've been following this thread but haven't had time (and won't for
several days at least) to formulate a thorough thoughtful response,
but your statements are too absolute and without qualification.

I'm not saying that specifically the intended actions (whatever they
may be) in this case are reasonable. I am saying that your responses
are too broad.

Let's assume purely for simplicity that the transfer can be done in a
secure fashion. Then if, for example, someone transferred keys to
long-known trusted persons w/in the Tor community (say some of the
dir-auths and others at similar levels of trust) in a way that 
(a) actually diminished the network concentration of trust among
people by spreading his family to others where the result is more
flat, and (b) paid attention to AS, country (by Geo-IP), etc. so that
neither AS nor country changed. This should probably be fine.

(I actually don't think (b) is needed if this is a relatively rare
occurrence.  Given other aspects of network churn and the very limited
way that Tor currently manages location awareness, that is not the
low-hanging fruit.)

There are probably other scenarios where this would be an OK action.
And it's not just a security/performance trade-off. Having those
relays just disappear reduces the diversity and capacity of the network,
which has security implications too. 
Here is another example wrt another factor.  (If I'm going on too long
here and losing you, skip the rest of this paragraph.) Someone could
be maintaining several relays reasonably well but realize that their
ability to securely maintain them is going to diminish slightly for
some reason, still probably keeping them among the upper half of
relays wrt security practice and circumstance. However, they realize
that they can securely transfer authority over those relays to people
who are both more trusted/reputed w/in the Tor community and in a
better position to maintain their security going forward.  In that
case, they would be improving the security of the network by
(securely) handing over the private keys than by continuing to
maintain the relays themselves.

It is fine to note that this is something that could only make sense
if done carefully. But claiming that the transfer of authority over
private keys from on person to another must always be irresponsible
diminishes the value of your primary point by overstating the
argument.

aloha,
Paul