[tor-relays] A Simple Web of Trust for Tor Relay Operator IDs

Sun Nov 7 21:21:44 UTC 2021

Hi,

> Sounds good. I read a couple of days ago[1] that there will be a new
> iteration of your draft available (shortly). I am happy to give
> further feedback while going over the new version, once it is ready.

the changes are already done, but were less significant than expected
since some comments turned out to be a misunderstanding.
I'd still like to add a diagram that might help with making the roles and possible links clearer.

>>> We just wrote a proposal for a sponsor where we have one activity
>>> about creating a database about relays and annotating them with
>>> trust information.
>> 
>> What is your motivation to annotate at the individual relay level
>> instead of assigning information at the operator level?
> 
> If we really want to move forward with the plan to limit the fraction
> of network traffic untrusted relays can see, then we need to track
> trust on the relay level. Otherwise how should tor take trust into
> account when building its paths? 

Yes, in the end you need relay identifiers but that does not mean you have
to track trust on the relay ID level and it would feel strange to me to assign
different trust levels to two relays operated by the same person (in an initial simple trust scheme).

In my opinion it is reasonable to say "I trust these 40 exit operators", when they add or replace their relays
I still trust their new relays if there is a verifiable link between their operator and relay ID.
The operator IDs to relay IDs can be mapped automatically,
I don't see any benefit in doing that manually, quite contrary, doing it manually is likely more error prone
and a lot more time consuming and likely even less transparent.

> Operators do not play a role here

The operator of a relay is the strongest and first trust criteria for me.
"I trust relay X  more than relay Y because I know and trust Alice
and Alice has proven she runs relay X and I don't know anything about relay Y's operator"

If a relay's operator is not a factor in your trust decision,
I'm curious what is your input for deciding whether to trust relay X or not?

>>> E.g. Roger could note all the relay operators he knows and 
>>> trusts, the same could Gus do and I and so on.
>> 
>> How you you know whether a relay is operated by some given entity
>> (at scale)?
> 
> The scale comes from different folks knowing different relay operator
> (groups) and from doing the annotation over time taking things like
> e.g. MyFamily settings into account.

I'm wondering why you would prefer to manually assign relays to operators
when you can automate that process?

to summarize:
we seem to have different input factors for trust, I primarily use operator's trust and reputation to decide
whether to trust a given relay and I don't want to manually link relays to their operator (have done that before and don't want to go back to that ;).
you have some other input factors in your trust scheme and you prefer to manually maintain a database with relay IDs + trust info.

kind regards,
nusenu

bonus content: ;)

> There are other areas where the focus on relays instead of operators
> is essential. E.g. we do not kick out operators from the network when
> doing bad-relay work. 

there have been multiple cases where large fractions of a family were found to be malicious
and the reaction was (in my opinion correctly) to remove the entire set

relays have already been rejected based on their ContactInfo - see the CypherpunkLabs example
where the malicious actor used another operators (unverifiable) ContactInfo and in the end  all of them (including the non-malicious once) got removed.
https://nusenu.medium.com/tracking-one-year-of-malicious-tor-exit-relay-activities-part-ii-85c80875c5df

Anyway this thread is not about rejecting bad relays.

-- 
https://nusenu.github.io