Hi,
First, thanks a lot both of you for your in-depth comments, I know it takes time, but they've been very helpful!
Then I mean to ask you about what you said regarding the fallback directory keys. So keys are not embedded but only hashes, OK. As you pointed out, CoSi would need to download full descriptors in order to safely get the private keys of all the witnesses. This solution would need to clearly be defined as you said in order to be correct. However, there exists another solution and I'd like to know if it looks reasonable in the context of Tor .
=> Considering the two roles of Fallback directory mirrors are different (serving the consensus document to Tor / collectively signing on it), we thought it would make sense to create new keys for this role and embed those into the Tor source code. These keys would have to be ed25519 keys (same size as the ID), so the size overhead is minimal (32 bytes * 100 = 3.2KB vs 1.5MB). The only reason I can think of why Tor includes hashes instead of public keys is because of local storage: How does Tor consider an increase of storage need by 3.2KB ? Is it acceptable or not ?
That would :
* Bring down the need for exchanging the descriptors between the fallbacks / no more bandwidth /
* No complex scenario such as "fallback key download mechanism"
* Simplify the verification on the client side also (no need to get the keys if you already have them).
* Add an additional steps for the relays operators where they would need to create that key and inform the Tor people about their public key.
Maybe you thought of this solution and there's a reason why you did not mention it, or maybe you did not, then what do you think of it ?
Cheers,
Nicolas