[tor-dev] Review of Proposal 215: Let the minimum consensus method change with time (was: Tor proposal status (December 2013))

Nick Mathewson nickm at alum.mit.edu
Mon Jan 6 17:17:43 UTC 2014


On Sun, Dec 22, 2013 at 4:07 AM, Karsten Loesing <karsten at torproject.org> wrote:
 [...]
> Hi Nick,
>
> I'm probably missing something important here, but I don't know what.
>
> Right now, if a directory authority learns from the votes that more than
> 2/3 of authorities support a consensus method higher that it can support
> itself, it falls back to consensus method 1.  That authority then
> produces a consensus that won't have enough signatures for any client to
> use it, so it's useless.
>
> The proposal suggests that this authority produces a consensus using a
> higher method than 1, but still lower than what the other authorities
> are going to produce.  But this consensus will still not contain enough
> signatures.
>
> What's the point?
>
> The last paragraph in the proposal makes most sense to me:
>
>> We might want to have the behavior when we see that everybody else
>> will be using a method we don't support be "Don't make a consensus
>> at all."  That's harder to program, though.
>
> Can you say why this solution is harder to program?  It seems like the
> cleaner design.

The issue is that right now, I think the consensus code in Tor doesn't
have a "don't publish a consensus" case.

> But even if it's too difficult to program (or would likely add new
> bugs), why not keep the fall-back-to-method-1 workaround?  Does it cause
> any harm?

So IIRC there are two important ideas in proposal 215.

* One is to define a new minimum consensus method which everybody must support.

* The other is to eventually drop support for earlier consensus methods.

Note that the change to the fallback behavior when we can't support
the chosen consensus method isn't one of the two important changes.
It's a side-effect of dropping support for ancient consensus methods.
So my reasoning for not retaining the "fall back to method 1" logic is
that eventually I would like Tor not to *have* any method-1 code left
in it, since we should never use it.

-- 
Nick


More information about the tor-dev mailing list