[tor-relays] A Simple Web of Trust for Tor Relay Operator IDs

nusenu nusenu-lists at riseup.net
Sat Oct 9 18:18:22 UTC 2021

> I think I have some general questions to begin with:
> 1) What part should the proposal you brought up play in the overall goal
> of limiting impact of malicious relays? You write
> """
> Therefore we propose to publish relay operator trust information to
> limit the fraction and impact of malicious tor network capacity.
> """
> but I don't understand how *publishing* that information is supposed to
> limit malicious relays. 

you are right, publishing it alone does not change anything it is just the important first step.

I updated the text to make this part clearer

> So, what is in your opinion the larger picture
> here? 

It is outlined by Roger here:


> It seems to me this is not unimportant and as your proposal is
> essentially raising the bar yet again for running relays

This document does not introduce any additional requirements when setting up a tor relay.

> https://example.com/.well-known/tor-relay/trust/requirements.txt
> This file contains the rules they apply before they add a new entry to
> the list of trusted operator IDs in english.
> How is that supposed to work in practice? There are some English
> sentences saying what the TA thought reasonable as requirements which
> means they have to be manually reviewed so one actually understands what
> trust in that case means?

That was not fleshed out yet, but I took your feedback to make it a lot simpler:
Now a TA's trust simply means
we assert this operator does run tor relays WITHOUT malicious intent

> 3) I like the whole proposal outline with a threat model, security
> considerations and so on. That's really helpful for thinking about this
> topic. I wonder whether you think there should actually be a "Network
> health considerations" section, too, in your proposal because one could
> think it might have potential effects e.g. on relay diversity. 

I added a few remarks in the last section
that TA selection will have an impact on "social diversity"

> We just wrote a proposal for a sponsor where we have one activity about
> creating a database about relays and annotating them with trust
> information. 

What is your motivation to annotate at the individual relay level instead
of assigning information at the operator level?

> E.g. Roger could note all the relay operators he knows and
> trusts, the same could Gus do and I and so on.

How you you know whether a relay is operated by some given
entity (at scale)?

> However, one risk we
> thought worth mentioning to the sponsor was that publishing annotations
> aka trust information might alienate relay operators from contributing
> to the network as they might feel their contribution is not enough or
> not valued enough.

I think that boils down to TA diversity.
You probably want to use more TAs than Roger, Gus and you.
Well regarded organizations like the EFF, CCC, known people at hackerspaces, ...
can probably help you span a global network, but even these are at some level trusted by some
and untrusted by others. If user's get the impression that the tor network is run by
Roger's friends only their perceived risk that they might collude against someone else might increase.

kind regards,


More information about the tor-relays mailing list