Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
Jim
Jimmymac at copper.net
Thu May 20 08:28:53 UTC 2010
Roger Dingledine wrote:
> On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote:
>> -------- Original Message --------
>> Subject: Re: - Medium - Tor servers, Tor community wants to disable your
>> nodes - General
>> Date: Mon, 17 May 2010 13:46:04 +0200
>> From: Perfect Privacy Administration <admin at perfect-privacy.com>
>> Organization: PP Internet Services
> [snip]
>> A proposal to the TOR developers: I don't know if it's technically
>> possible, but maybe one could introduce a "BelongingToFamily" entry or a
>> similarly named command in future versions of TOR which could work as
>> such, as that every server which contains the same "BelongingToFamily"
>> entry (e.g. "BelongingToFamily xyz") belongs to the family "xyz".
>>
>> That way one wouldn't have to enumerate all server names in the
>> "MyFamily" section of each and every individual torrc file what causes
>> an enormous effort if one adds a lot of servers (and donates a lot of
>> traffic) to the Tor network. As mentioned, we currently would have to
>> edit 45+ torrc files on 45+ TOR servers whenever a server is added or
>> removed, and the number of our servers is constantly increasing.
>
> The trouble here is that if we make family declarations one-sided, then
> I can tell everybody that I'm in blutmagie's family (and X's family and
> Y's family and Z's family and ...), and suddenly I'm influencing the
> path selection of other clients in a way I shouldn't be able to.
>
> We need to have each set of relays in a family declare the others,
> or it's open to attacks like this.
In situations like Perfect Privacy's where there are a significant
number of nodes that are dynamically changing. which all need to be in
one family, the basic proposal seems useful enough that I wonder if it
can be rehabilitated to take care of the concerns Roger just expressed.
So let me just float an idea here that maybe others can
flesh-out/simplify/correct ...
What if families could be "declared" by giving them a name (say XYZ123)
and publishing a public key for them. Then to add a node to the family,
the server operator would issue a BelongToFamily XYZ123 declaration that
is somehow signed by the corresponding private key. If the details can
be worked out correctly, then only the person/organization with access
to the private key can add servers to that family. I think that would
take care of Roger' concern about relay operators adding their server to
others' families. If this is too much information to reasonably contain
in a torrc file, then perhaps it could be included in a separate file.
Either one the Tor client automatically looks for or one referenced in
torrc.
Does anything like that seem viable? Maybe the developers can comment
about the doability and whether it addresses all of the security
concerns? And maybe Perfect Privacy can somehow be pulled into the
conversation to see if such a thing would be useful for people in their
situation.
Jim
P.S. The above was written while off-line. After seeing the newer
posts, I realize my proposal might essentially be the same as
The23rdRaccoon's. I am not sure. But I don't remember seeing anything
about using a signature to limit who could add themselves to a family in
Bruce's original proposal.
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list