On 09/28/2016 02:01 PM, Chad MILLER wrote:
So? A relay can always have behaved badly. What's the harm in you fraudulently claiming to be in family com.example.chadmiller ? A user's path won't have passed through both you and me, but you could have prevented traffic from passing through you any time. At worst, you get to participate in a user's path and exclude me from participating. That's no worse than you setting your machine on fire and me participating.
1) Bad actor sets up a bunch of relays fraudulently joining the majority of other relays. 2) Path selection of clients will now effectively prefer the bad actor's relays on which he performs eavesdropping, traffic analysis, or other nasty things.
The bad actor could also leave a few of his bad relays without family in order not to uncover himself so easily.
I am in favor of a scheme where the process of joining a family is authenticated.