Hi,
thanks for your input.
There will be a new iteration of the draft and I will reply to your email
again once that is done, as it should cover some of the areas you mentioned.
kind regards,
nusenu
[email protected]:
(sorry for replying directly before)
On 2021-10-03 16:16, nusenu-lists at riseup.net wrote:
Hi,
I wrote down a spec for a simple web of trust
for relay operator IDs:
Some comments, in no particular order:
Why not just put the keys in directly, or even a magnet link to your latest web
of trust? That would remove the need to trust SSL CAs.
What problems does this solve, specifically, and how? If I - me personally, not
the generic I - wanted to spin up a relay, how would I do that?
Would I go on this mailing list and ask random people to sign my relay? If so,
it's not very useful.
Or would I just run it without any signatures at all? If so, it's not very
useful.
The basic problem, I think, is the same as for PGP: it's not really clear what
you're attesting to when you sign. If I sign a my mate's relay, and then that
relay turns out to be dodgy, do I also lose my relay operation privileges?
I think that WoT systems have a definite value for preventing Sybil attacks,
they are very powerful, and I don't think these issues are insurmountable, but
they have to be addressed.
If you're going to do it in a "machine-friendly" manner, then I suppose you have to come up with some kind of
formalized notion of what trust represents, maybe have some numerical scale so you can define (just as an example) 100
= "I've personally audited the hardware", 70 = "This is an organization I trust", 10 = "I know
who this person is, it's not just a fresh hotmail".
Or, you can do it in a "human-friendly" manner, where you just write text notes
with each trust relationship. That would make it quite useless to parse, but could be
useful to give us some information about relays.
Now, here's my gut feeling:
Instinctively, it seems silly to have the trust relationships denote "this person is a good
relay operator" (how would you even quantify that?), and maybe more reasonable to have it
denote "I know this guy, he didn't just pop into existence last Thursday". And if you're
doing that, it seems like the second approach makes more sense. This clearly suggests some
limitations to it, but possibly still useful.
Anyway, if you're going to do that, it might also be reasonable to hook into a
pre-existing web of trust, like GPG or something. That way, we can encode stuff like
"I trust my mate Alice, she isn't a relay operator, she trusts Bob, who is,
therefore I transitively trust Bob." This doesn't work great if Alice has to
register in the separate Tor Web of Trust thing. (On the other hand, we introduce the
problem of someone doing a Sybil by being introduced to random people who will sign
literally anything, not being aware of Tor, and then showing up with plausible-looking
trust pairs. But maybe that's not such a big problem, because that arguably looks even
shadier?)
I think this is a very good initiative, anyway.
--
https://nusenu.github.io
_______________________________________________
tor-dev mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
