tor/doc/contrib/authority-policy.txt
Nick Mathewson 1e86603b1c r15623@tombo: nickm | 2008-05-15 02:10:53 -0400
Notes on authority diversity for authority-policy.txt


svn:r14619
2008-05-15 06:11:54 +00:00

90 lines
3.8 KiB
Plaintext

0. Overview.
This document contains various informal policies for how to operate
a directory authority, how to choose new ones, etc.
1. How to pick a new directory authority.
Here's our current guidelines for how to pick new directory
authorities.
(These won't ever be formal criteria -- we need to keep this flexible
so we can adapt to new situations.)
o Stability:
- Must be a low-downtime Tor server (computer as well as network).
- Must have a static IP.
- The operator must have been running a stable Tor server for at least
3 months.
- Must intend for this server to stick around for the next 12 months
or more.
- Must not hibernate.
- Should not be an exit node (as this increases the risk both of
downtime and of key compromise).
o Performance:
- Must have sufficient bandwidth: at least 300 kB/s symmetric,
though in practice the inbound traffic can be considerably less.
o Availability:
- Must be available to upgrade within a few days in most cases.
(While we're still developing Tor, we periodically find bugs that
impact the whole network and require dirserver upgrades.)
- Should be have a well-known way to contact the administrator
via PGP-encrypted message.
o Integrity:
- Must promise not to censor or attack the network and users.
- Should be run by somebody that Tor (i.e. Roger) knows.
- Should be widely regarded as fair/trustworthy, or at least
known, by many people.
- If somebody asks you to backdoor or change your server, legally or
otherwise, you will fight it to the extent of your abilities. If
you fail to fight it, you must shut down the Tor server and notify
us that you have.
o Diversity
- We should avoid situations that make it likelier for multiple
dirserver failures to happen at the same time. Therefore...
- It's good when dirservers are not all in the same country.
- It's good when dirservers are not all in the same jurisdictions.
- It's good when dirservers are not all running the same OS.
- It's good when dirservers are not all using the same ISP.
- It's good when dirservers are not all running the same
version of Tor.
- No two dirservers should have the same operator.
- Maximal diversity, however, is not always practical. Sometimes,
for example, there is only one version of Tor that provides a
given consensus generation algorithm.
- A small group of authorities with the same country/jurisdiction/OS is
not a problem, until that group's size approaches quorum (half the
authorities).
2. How to choose the recommended versions
The policy, in a nutshell, is to not remove versions without a good
reason. So this means we should recommend all versions except:
- Versions that no longer conform to the spec. That is, if they wouldn't
actually interact correctly with the current Tor network.
- Versions that have known security problems.
- Versions that have frequent crash or assert problems.
- Versions that harm the performance or stability of the current Tor
network or the anonymity of other users. For example, a version
that load balances wrong, or a version that hammers the authorities
too much.
> some use the slight variant of requiring a *good* reason.
> excellent reasons include "there's a security flaw"
> good reasons include "that crashes every time you start it. you would think
+tor is dumb if you tried to use that version and think of it as tor."
> good reasons include "those old clients do their load balancing wrong, and
+they're screwing up the whole network"
> reasons include "the old one is really slow, clients should prefer the new
+one"
> i try to draw the line at 'good reasons and above'