Hi, all!
I noticed that proposal 236 doesn't mention directory guards. (See proposal 207, implemented in Tor 0.2.4.) I think that we should consider retaining multiple directory guards while going to a single guard for multi-hop circuits.
My rationale here is that when we have only a single directory guard, it can more easily perform hard-to-detect route biasing attacks by pretending not to have descriptors for nodes it doesn't like. Its ability to do this is limited by fact that we won't build circuits unless 95% of all paths are buildable (see get_frac_paths_needed_for_circuits() and its users). But still, trusting a single source for the completeness and freshness of your directory info is suboptimal.
I also think that most of the arguments for single-guard apply to circuit guards more than to directory guards. But there could be some left, and we should figure those out.
peace,