I think I have some general questions to begin with:
- What part should the proposal you brought up play in the overall goal
of limiting impact of malicious relays? You write
""" Therefore we propose to publish relay operator trust information to limit the fraction and impact of malicious tor network capacity. """
but I don't understand how *publishing* that information is supposed to limit malicious relays.
you are right, publishing it alone does not change anything it is just the important first step.
I updated the text to make this part clearer https://github.com/nusenu/tor-relay-operator-ids-trust-information/blob/main...
So, what is in your opinion the larger picture here?
It is outlined by Roger here:
https://gitlab.torproject.org/tpo/network-health/metrics/relay-search/-/issu... https://lists.torproject.org/pipermail/tor-relays/2020-July/018656.html
It seems to me this is not unimportant and as your proposal is essentially raising the bar yet again for running relays
This document does not introduce any additional requirements when setting up a tor relay.
https://example.com/.well-known/tor-relay/trust/requirements.txt
This file contains the rules they apply before they add a new entry to the list of trusted operator IDs in english.
How is that supposed to work in practice? There are some English sentences saying what the TA thought reasonable as requirements which means they have to be manually reviewed so one actually understands what trust in that case means?
That was not fleshed out yet, but I took your feedback to make it a lot simpler: Now a TA's trust simply means we assert this operator does run tor relays WITHOUT malicious intent https://github.com/nusenu/tor-relay-operator-ids-trust-information/blob/main...
- I like the whole proposal outline with a threat model, security
considerations and so on. That's really helpful for thinking about this topic. I wonder whether you think there should actually be a "Network health considerations" section, too, in your proposal because one could think it might have potential effects e.g. on relay diversity.
I added a few remarks in the last section that TA selection will have an impact on "social diversity"
We just wrote a proposal for a sponsor where we have one activity about creating a database about relays and annotating them with trust information.
What is your motivation to annotate at the individual relay level instead of assigning information at the operator level?
E.g. Roger could note all the relay operators he knows and trusts, the same could Gus do and I and so on.
How you you know whether a relay is operated by some given entity (at scale)?
However, one risk we thought worth mentioning to the sponsor was that publishing annotations aka trust information might alienate relay operators from contributing to the network as they might feel their contribution is not enough or not valued enough.
I think that boils down to TA diversity. You probably want to use more TAs than Roger, Gus and you. Well regarded organizations like the EFF, CCC, known people at hackerspaces, ... can probably help you span a global network, but even these are at some level trusted by some and untrusted by others. If user's get the impression that the tor network is run by Roger's friends only their perceived risk that they might collude against someone else might increase.
kind regards, nusenu