Let's try a simple special case. In an idealized Tor network, what would the distribution of exit nodes look like?
* Would each exit node have the same bandwidth? Or would there instead be only one exit node per AS?
* Would the number of exit nodes constitute exactly 1/3 of all Tor nodes? Would the total exit node bandwidth constitute 1/3 of all Tor bandwidth?
* Would their distribution of AS numbers match the distribution of AS numbers of Tor clients? The distribution of Internet users?
Exit nodes seem a nice place to start concretizing what's meant when we say we want relay diversity. Comments immensely appreciated because as-is I don't know the answers to these questions.
-V
On Wed, 23 Sep 2015 06:18:58 +0000 Virgil Griffith i@virgil.gr wrote:
- Would the number of exit nodes constitute exactly 1/3 of all Tor
nodes? Would the total exit node bandwidth constitute 1/3 of all Tor bandwidth?
No. There needs to be more interior bandwidth than externally facing bandwidth since not all Tor traffic traverses through an Exit (Directory queries, anything to do with HSes).
The total Exit bandwidth required is always <= the total amount of Guard + Bridge bandwidth, but I do not have HS utilization or Directory query overhead figures to give an accurate representation of how much less.
Regards,
On Wed, Sep 23, 2015 at 06:26:47AM +0000, Yawning Angel wrote:
On Wed, 23 Sep 2015 06:18:58 +0000 Virgil Griffith i@virgil.gr wrote:
- Would the number of exit nodes constitute exactly 1/3 of all Tor
nodes? Would the total exit node bandwidth constitute 1/3 of all Tor bandwidth?
No. There needs to be more interior bandwidth than externally facing bandwidth since not all Tor traffic traverses through an Exit (Directory queries, anything to do with HSes).
The total Exit bandwidth required is always <= the total amount of Guard
- Bridge bandwidth, but I do not have HS utilization or Directory query
overhead figures to give an accurate representation of how much less.
On the flip side, in *my* idealized Tor network, all of the relays are exit relays.
If only 1/3 of all Tor relays are exit relays, then the diversity of possible exit points is much lower than if you could exit from all the relays. That lack of diversity would mean that it's easier for a relay adversary to operate or compromise relays to attack traffic, and it's easier for a network adversary to see more of the network than we'd like.
(In an idealized Tor network, the claim about the network adversary might not actually be true. If you have exit relays in just the right locations, and capacity is infinite compared to demand, then the network adversary will learn the same amount whether the other relays are exit relays are not. But I think it is a stronger assumption to assume that we have exactly the right distribution of exit relay locations -- especially because "the right distribution" is a function of which adversary you're considering, and once you consider k adversaries at once, no single distribution will be optimal for all of them.)
--Roger
because "the right distribution" is a function of which adversary you're considering, and once you consider k adversaries at once, no single distribution will be optimal for all of them.)
Granted. But since we're speaking idealizations, I say take that the expected-value over the distributions weighted by the probability of each adversary. In application this would be a distribution that although unlikely to be optimal against any specific adversary, it's has robust hardness across a wide variety of adversaries.
Or, if that distribution is unclear, pick the distribution of exit-relay with the highest minimum hardness. This reminds me of the average-entropy vs min-entropy question for quantifying anonymity. I'd be content with either solution, and in regards to Roster I'm not sure the difference will matter much. I am simply asking the more knowledgeable for their opinion and recommendation. Is there one?
-V
On Wed, Sep 23, 2015 at 2:47 PM Roger Dingledine arma@mit.edu wrote:
On Wed, Sep 23, 2015 at 06:26:47AM +0000, Yawning Angel wrote:
On Wed, 23 Sep 2015 06:18:58 +0000 Virgil Griffith i@virgil.gr wrote:
- Would the number of exit nodes constitute exactly 1/3 of all Tor
nodes? Would the total exit node bandwidth constitute 1/3 of all Tor bandwidth?
No. There needs to be more interior bandwidth than externally facing bandwidth since not all Tor traffic traverses through an Exit (Directory queries, anything to do with HSes).
The total Exit bandwidth required is always <= the total amount of Guard
- Bridge bandwidth, but I do not have HS utilization or Directory query
overhead figures to give an accurate representation of how much less.
On the flip side, in *my* idealized Tor network, all of the relays are exit relays.
If only 1/3 of all Tor relays are exit relays, then the diversity of possible exit points is much lower than if you could exit from all the relays. That lack of diversity would mean that it's easier for a relay adversary to operate or compromise relays to attack traffic, and it's easier for a network adversary to see more of the network than we'd like.
(In an idealized Tor network, the claim about the network adversary might not actually be true. If you have exit relays in just the right locations, and capacity is infinite compared to demand, then the network adversary will learn the same amount whether the other relays are exit relays are not. But I think it is a stronger assumption to assume that we have exactly the right distribution of exit relay locations -- especially because "the right distribution" is a function of which adversary you're considering, and once you consider k adversaries at once, no single distribution will be optimal for all of them.)
--Roger
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On Wed, Sep 23, 2015 at 11:34:54AM +0000, Virgil Griffith wrote:
because "the right distribution" is a function of which adversary you're considering, and once you consider k adversaries at once, no single distribution will be optimal for all of them.)
I agree with Roger that ideally all relays can be exits (and since we're being ideal, we'll assume that 'exit' means to every port). And the network location distribution of relays by bandwidth is proportional to both the client destination selection over time and general Internet traffic over time, which match each other since we're being ideal, and also matter since we're using an ideal trust-aware path selection algorithm. And network wide route selection is such that there is no congestion (generalizing Roger's assumption of infinite exit capacity). Also all fast-relay operators (which here is the same as all relay operators) don't merely get a T shirt but a pony wearing a T shirt. Put differently, I need your ceteris paribus clause spelled out a lot more so I know what things I can assume in this ideal world and where I have to live with the actual world (to the extent that we even know what that looks like).
Granted. But since we're speaking idealizations, I say take that the expected-value over the distributions weighted by the probability of each adversary. In application this would be a distribution that although unlikely to be optimal against any specific adversary, it's has robust hardness across a wide variety of adversaries.
In our ongoing work on trust-aware path selection, we assume a trust distribution that will be the default used by a Tor client if another distribution is not specified. (Most users will not have a reasoned understanding of who they actually need to worry most about, and even if they somehow got that right would not have a good handle how that adversary's resources are distributed.) We call this adversary "The Man", who is equally likely to be everywhere (each AS) on the network. For relay adversaries, we assume that standing up and running a relay has costs so weight a bit to make relays that have been around a long time slightly more likely to be trusted.
Or, if that distribution is unclear, pick the distribution of exit-relay with the highest minimum hardness. This reminds me of the average-entropy vs min-entropy question for quantifying anonymity. I'd be content with either solution, and in regards to Roster I'm not sure the difference will matter much. I am simply asking the more knowledgeable for their opinion and recommendation. Is there one?
I don't think you can meaningfully do this. It's going to be based on a particularly bad closed-world assumption (worse than the one underlying so many website fingerprinting analyses). You would have to assume that you know all the adversaries that all the user types have and, if you are averaging in some way, then also the average amount of exit utilization that each user type represents. Ignore the technical impossibility of doing this in a privacy-safe way and then ignore the technical impossibility of doing this in a privacy-unsafe way. You would then be faced with the political nightmare of issuing default policies that tells users they should route with a weighting that says country foo has an x percent chance of being your adversary, but country bar has a y percent chance. (Likewise also have similar statements that substitute 'large multinational corp.', 'major criminal organization', 'specific big government agency that is getting all the press lately' etc. for "country" in the last sentence.)
aloha, Paul
-V
On Wed, Sep 23, 2015 at 2:47 PM Roger Dingledine arma@mit.edu wrote:
On Wed, Sep 23, 2015 at 06:26:47AM +0000, Yawning Angel wrote:
On Wed, 23 Sep 2015 06:18:58 +0000 Virgil Griffith i@virgil.gr wrote:
- Would the number of exit nodes constitute exactly 1/3 of all Tor
nodes? Would the total exit node bandwidth constitute 1/3 of all Tor bandwidth?
No. There needs to be more interior bandwidth than externally facing bandwidth since not all Tor traffic traverses through an Exit (Directory queries, anything to do with HSes).
The total Exit bandwidth required is always <= the total amount of Guard
- Bridge bandwidth, but I do not have HS utilization or Directory query
overhead figures to give an accurate representation of how much less.
On the flip side, in *my* idealized Tor network, all of the relays are exit relays.
If only 1/3 of all Tor relays are exit relays, then the diversity of possible exit points is much lower than if you could exit from all the relays. That lack of diversity would mean that it's easier for a relay adversary to operate or compromise relays to attack traffic, and it's easier for a network adversary to see more of the network than we'd like.
(In an idealized Tor network, the claim about the network adversary might not actually be true. If you have exit relays in just the right locations, and capacity is infinite compared to demand, then the network adversary will learn the same amount whether the other relays are exit relays are not. But I think it is a stronger assumption to assume that we have exactly the right distribution of exit relay locations -- especially because "the right distribution" is a function of which adversary you're considering, and once you consider k adversaries at once, no single distribution will be optimal for all of them.)
--Roger
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
In application this would be a distribution that although unlikely to be
optimal against any specific adversary, it's has robust hardness across a wide variety of adversaries.
So, the F-35?
Perhaps what needs considered is wether that is even possible; and against which adversaries is TOR designed to resist?
On Wed, Sep 23, 2015 at 8:34 AM, Virgil Griffith i@virgil.gr wrote:
because "the right distribution" is a function of which adversary you're considering, and once you consider k adversaries at once, no single distribution will be optimal for all of them.)
Granted. But since we're speaking idealizations, I say take that the expected-value over the distributions weighted by the probability of each adversary. In application this would be a distribution that although unlikely to be optimal against any specific adversary, it's has robust hardness across a wide variety of adversaries.
Or, if that distribution is unclear, pick the distribution of exit-relay with the highest minimum hardness. This reminds me of the average-entropy vs min-entropy question for quantifying anonymity. I'd be content with either solution, and in regards to Roster I'm not sure the difference will matter much. I am simply asking the more knowledgeable for their opinion and recommendation. Is there one?
-V
On Wed, Sep 23, 2015 at 2:47 PM Roger Dingledine arma@mit.edu wrote:
On Wed, Sep 23, 2015 at 06:26:47AM +0000, Yawning Angel wrote:
On Wed, 23 Sep 2015 06:18:58 +0000 Virgil Griffith i@virgil.gr wrote:
- Would the number of exit nodes constitute exactly 1/3 of all Tor
nodes? Would the total exit node bandwidth constitute 1/3 of all Tor bandwidth?
No. There needs to be more interior bandwidth than externally facing bandwidth since not all Tor traffic traverses through an Exit (Directory queries, anything to do with HSes).
The total Exit bandwidth required is always <= the total amount of Guard
- Bridge bandwidth, but I do not have HS utilization or Directory query
overhead figures to give an accurate representation of how much less.
On the flip side, in *my* idealized Tor network, all of the relays are exit relays.
If only 1/3 of all Tor relays are exit relays, then the diversity of possible exit points is much lower than if you could exit from all the relays. That lack of diversity would mean that it's easier for a relay adversary to operate or compromise relays to attack traffic, and it's easier for a network adversary to see more of the network than we'd like.
(In an idealized Tor network, the claim about the network adversary might not actually be true. If you have exit relays in just the right locations, and capacity is infinite compared to demand, then the network adversary will learn the same amount whether the other relays are exit relays are not. But I think it is a stronger assumption to assume that we have exactly the right distribution of exit relay locations -- especially because "the right distribution" is a function of which adversary you're considering, and once you consider k adversaries at once, no single distribution will be optimal for all of them.)
--Roger
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On Wed, Sep 23, 2015 at 06:18:58AM +0000, Virgil Griffith wrote:
Exit nodes seem a nice place to start concretizing what's meant when we say we want relay diversity. Comments immensely appreciated because as-is I don't know the answers to these questions.
Hi Virgil,
I've been pondering the opposite of this topic, after looking at the recent tor-relays thread about some ISP not wanting to let somebody host an exit relay because they figure a lot of the Tor network is run by government agencies. My usual answer to that concern is "no, we *know* the operators of more than half the capacity in the Tor network, so this cannot be the case". And I think this is increasingly true in the era of activist non-profits that run relays -- Germany's got one, and so do the US, the Netherlands, Sweden, France, Luxembourg, etc etc.
But it would be neat to have a mechanism for learning whether this is actually true, and (whatever the current situation) how it's changing.
The tie-in to Roster would be some sort of "socially connected" badge, which your relay gets because you're sufficiently tied into the Tor relay operator community.
And then we'd have something concrete to point to for backing up, or disputing, the claim that we know a significant fraction of the network.
Of course, the details of when to assign the badge will be tricky and critical: too loose and you undermine the trust in it (it only takes a few "omg the kgb runs a relay and look it's got the badge" cases to make the news), but too strict and you undercount the social connectedness.
In a sense this is like the original 'valid' flag, which you got by mailing me and having me manually approve your relay (and without which you would never be used as the entry or exit point in a circuit). Periodically I wonder if we should go back to a design like that, where users won't pick exit relays that don't have the "socially connected" badge. Then I opt against wanting it, since I worry that we'd lose exactly the kind of diversity we need most, by cutting out the relays whose operators we don't know.
But both sides of that are just guessing. Let's find out!
--Roger
Can we not use the argument "anonymity requires diverse company" on both sides? For whole rational actors it seems like this should work. Tor "exploits the military" into lending cover to activist groups, which they would presumably support.
This may be too naive a view of the situation.
Re: socially connected. That's interesting. I'll see what I can do. Chat more in Berlin.
-V On Thu, 24 Sep 2015 at 13:19 Roger Dingledine arma@mit.edu wrote:
On Wed, Sep 23, 2015 at 06:18:58AM +0000, Virgil Griffith wrote:
Exit nodes seem a nice place to start concretizing what's meant when we
say
we want relay diversity. Comments immensely appreciated because as-is I don't know the answers to these questions.
Hi Virgil,
I've been pondering the opposite of this topic, after looking at the recent tor-relays thread about some ISP not wanting to let somebody host an exit relay because they figure a lot of the Tor network is run by government agencies. My usual answer to that concern is "no, we *know* the operators of more than half the capacity in the Tor network, so this cannot be the case". And I think this is increasingly true in the era of activist non-profits that run relays -- Germany's got one, and so do the US, the Netherlands, Sweden, France, Luxembourg, etc etc.
But it would be neat to have a mechanism for learning whether this is actually true, and (whatever the current situation) how it's changing.
The tie-in to Roster would be some sort of "socially connected" badge, which your relay gets because you're sufficiently tied into the Tor relay operator community.
And then we'd have something concrete to point to for backing up, or disputing, the claim that we know a significant fraction of the network.
Of course, the details of when to assign the badge will be tricky and critical: too loose and you undermine the trust in it (it only takes a few "omg the kgb runs a relay and look it's got the badge" cases to make the news), but too strict and you undercount the social connectedness.
In a sense this is like the original 'valid' flag, which you got by mailing me and having me manually approve your relay (and without which you would never be used as the entry or exit point in a circuit). Periodically I wonder if we should go back to a design like that, where users won't pick exit relays that don't have the "socially connected" badge. Then I opt against wanting it, since I worry that we'd lose exactly the kind of diversity we need most, by cutting out the relays whose operators we don't know.
But both sides of that are just guessing. Let's find out!
--Roger
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Apologies for quick post.
If we want to a socially connected link, seems we can use the same infrastructure for doing keysignings parties but we just use relay public keys. That seems a nice distributed way of doing this. On Thu, 24 Sep 2015 at 13:42 Virgil Griffith i@virgil.gr wrote:
Can we not use the argument "anonymity requires diverse company" on both sides? For whole rational actors it seems like this should work. Tor "exploits the military" into lending cover to activist groups, which they would presumably support.
This may be too naive a view of the situation.
Re: socially connected. That's interesting. I'll see what I can do. Chat more in Berlin.
-V On Thu, 24 Sep 2015 at 13:19 Roger Dingledine arma@mit.edu wrote:
On Wed, Sep 23, 2015 at 06:18:58AM +0000, Virgil Griffith wrote:
Exit nodes seem a nice place to start concretizing what's meant when we
say
we want relay diversity. Comments immensely appreciated because as-is I don't know the answers to these questions.
Hi Virgil,
I've been pondering the opposite of this topic, after looking at the recent tor-relays thread about some ISP not wanting to let somebody host an exit relay because they figure a lot of the Tor network is run by government agencies. My usual answer to that concern is "no, we *know* the operators of more than half the capacity in the Tor network, so this cannot be the case". And I think this is increasingly true in the era of activist non-profits that run relays -- Germany's got one, and so do the US, the Netherlands, Sweden, France, Luxembourg, etc etc.
But it would be neat to have a mechanism for learning whether this is actually true, and (whatever the current situation) how it's changing.
The tie-in to Roster would be some sort of "socially connected" badge, which your relay gets because you're sufficiently tied into the Tor relay operator community.
And then we'd have something concrete to point to for backing up, or disputing, the claim that we know a significant fraction of the network.
Of course, the details of when to assign the badge will be tricky and critical: too loose and you undermine the trust in it (it only takes a few "omg the kgb runs a relay and look it's got the badge" cases to make the news), but too strict and you undercount the social connectedness.
In a sense this is like the original 'valid' flag, which you got by mailing me and having me manually approve your relay (and without which you would never be used as the entry or exit point in a circuit). Periodically I wonder if we should go back to a design like that, where users won't pick exit relays that don't have the "socially connected" badge. Then I opt against wanting it, since I worry that we'd lose exactly the kind of diversity we need most, by cutting out the relays whose operators we don't know.
But both sides of that are just guessing. Let's find out!
--Roger
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Virgil Griffith wrote:
Tor "exploits the military" into lending cover to activist groups, which they would presumably support. This may be too naive a view of the situation.
Exploit is definitely the wrong word here. Different people who disagree about {policy|topic|whatever} can all see the value of anonymity, without viewing it as ab/using the other contributors.
More relays are always good, but don't necessarily counter the occasional fatalist opinion 'surely n relays are bad and surely n represents enough to de-anonymize me no matter what, so why bother' [0]. Ongoing research does a lot of good here, but some people will never be swayed.
~Griffin
[0] "Is your relay hiding BOLSHEVIKS?"
Re: socially connected. That's interesting. I'll see what I can do. Chat more in Berlin.
-V On Thu, 24 Sep 2015 at 13:19 Roger Dingledine arma@mit.edu wrote:
On Wed, Sep 23, 2015 at 06:18:58AM +0000, Virgil Griffith wrote: > Exit nodes seem a nice place to start concretizing what's meant when we say > we want relay diversity. Comments immensely appreciated because as-is I > don't know the answers to these questions. Hi Virgil, I've been pondering the opposite of this topic, after looking at the recent tor-relays thread about some ISP not wanting to let somebody host an exit relay because they figure a lot of the Tor network is run by government agencies. My usual answer to that concern is "no, we *know* the operators of more than half the capacity in the Tor network, so this cannot be the case". And I think this is increasingly true in the era of activist non-profits that run relays -- Germany's got one, and so do the US, the Netherlands, Sweden, France, Luxembourg, etc etc. But it would be neat to have a mechanism for learning whether this is actually true, and (whatever the current situation) how it's changing. The tie-in to Roster would be some sort of "socially connected" badge, which your relay gets because you're sufficiently tied into the Tor relay operator community. And then we'd have something concrete to point to for backing up, or disputing, the claim that we know a significant fraction of the network. Of course, the details of when to assign the badge will be tricky and critical: too loose and you undermine the trust in it (it only takes a few "omg the kgb runs a relay and look it's got the badge" cases to make the news), but too strict and you undercount the social connectedness. In a sense this is like the original 'valid' flag, which you got by mailing me and having me manually approve your relay (and without which you would never be used as the entry or exit point in a circuit). Periodically I wonder if we should go back to a design like that, where users won't pick exit relays that don't have the "socially connected" badge. Then I opt against wanting it, since I worry that we'd lose exactly the kind of diversity we need most, by cutting out the relays whose operators we don't know. But both sides of that are just guessing. Let's find out! --Roger _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Could we perhaps expand the contact information field in some way? One thing I was pondering a while ago was a social contact, not just an email address. I raised a very brief point about this with Virgil in Paris last year, but I think I made it very poorly at the time as I just come up with it on the spot.
To assign an email address is good for email communications and using PGP and so forth, but also allowing another handle such as a Twitter username would be a way to create further credibility of diversity. For example, my following on Twitter is quite diverse and it would be hard to argue I was a government proxy or so on. If many operators have Twitter handles where the information and identity is public anyway, having a second option to tie into those social parameters would be more transparent in the people running those relays if they chose to be. For example, I have no problem in being open on some of the projects I am working on, and I'm sure moving into a social sphere could have a positive effect on Tor in general in terms of trust.
For example, let's say the contact box lacks an email, we could see if there was a way for reaching out to people via Twitter to let them know a relay is outdated instead of private email reminders.
Anyway I am rambling on a bit there, but my point is getting people to use not just email, but also tie into a twitter account or something of that nature would make it clearer that Tor is not run almost exclusively by the military or whatever, since that kind of open data with aliases and Twitter feeds connected to the relay ownership is researchable if people, like Transparency Toolkit, wanted to "check us out" so to speak. To verify the data, we could make Roster have a small verification step, just a "tweet this code to verify this is your account" and then Roster can store the URL to this tweet to maintain an independent proof that alias controls which relay, similar to how Keybase does it.
T
On 24/09/2015 06:18, Roger Dingledine wrote:
On Wed, Sep 23, 2015 at 06:18:58AM +0000, Virgil Griffith wrote:
Exit nodes seem a nice place to start concretizing what's meant when we say we want relay diversity. Comments immensely appreciated because as-is I don't know the answers to these questions.
Hi Virgil,
I've been pondering the opposite of this topic, after looking at the recent tor-relays thread about some ISP not wanting to let somebody host an exit relay because they figure a lot of the Tor network is run by government agencies. My usual answer to that concern is "no, we *know* the operators of more than half the capacity in the Tor network, so this cannot be the case". And I think this is increasingly true in the era of activist non-profits that run relays -- Germany's got one, and so do the US, the Netherlands, Sweden, France, Luxembourg, etc etc.
But it would be neat to have a mechanism for learning whether this is actually true, and (whatever the current situation) how it's changing.
The tie-in to Roster would be some sort of "socially connected" badge, which your relay gets because you're sufficiently tied into the Tor relay operator community.
And then we'd have something concrete to point to for backing up, or disputing, the claim that we know a significant fraction of the network.
Of course, the details of when to assign the badge will be tricky and critical: too loose and you undermine the trust in it (it only takes a few "omg the kgb runs a relay and look it's got the badge" cases to make the news), but too strict and you undercount the social connectedness.
In a sense this is like the original 'valid' flag, which you got by mailing me and having me manually approve your relay (and without which you would never be used as the entry or exit point in a circuit). Periodically I wonder if we should go back to a design like that, where users won't pick exit relays that don't have the "socially connected" badge. Then I opt against wanting it, since I worry that we'd lose exactly the kind of diversity we need most, by cutting out the relays whose operators we don't know.
But both sides of that are just guessing. Let's find out!
--Roger
_______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On 24 Sep 2015, at 23:10, Thomas White thomaswhite@riseup.net wrote:
Signed PGP part Could we perhaps expand the contact information field in some way? One thing I was pondering a while ago was a social contact, not just an email address. I raised a very brief point about this with Virgil in Paris last year, but I think I made it very poorly at the time as I just come up with it on the spot.
To assign an email address is good for email communications and using PGP and so forth, but also allowing another handle such as a Twitter username would be a way to create further credibility of diversity. For example, my following on Twitter is quite diverse and it would be hard to argue I was a government proxy or so on. If many operators have Twitter handles where the information and identity is public anyway, having a second option to tie into those social parameters would be more transparent in the people running those relays if they chose to be. For example, I have no problem in being open on some of the projects I am working on, and I'm sure moving into a social sphere could have a positive effect on Tor in general in terms of trust.
For example, let's say the contact box lacks an email, we could see if there was a way for reaching out to people via Twitter to let them know a relay is outdated instead of private email reminders.
Anyway I am rambling on a bit there, but my point is getting people to use not just email, but also tie into a twitter account or something of that nature would make it clearer that Tor is not run almost exclusively by the military or whatever, since that kind of open data with aliases and Twitter feeds connected to the relay ownership is researchable if people, like Transparency Toolkit, wanted to "check us out" so to speak. To verify the data, we could make Roster have a small verification step, just a "tweet this code to verify this is your account" and then Roster can store the URL to this tweet to maintain an independent proof that alias controls which relay, similar to how Keybase does it.
It would be great to do this in a way that’s independent of social media platform.
Many social media platforms have been invented and gone under in the time the Tor Network has been running.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
-
Evan d'Entremont -
Griffin -
Paul Syverson -
Roger Dingledine -
Thomas White -
Tim Wilson-Brown - teor -
Virgil Griffith -
Yawning Angel