> I think that there are some details to work out, but the general > approach you describe sounds reasonable. IMO it doesn't need to be > directory authorities who are StatsAuths, and we could use a "blinded > token once per relay per period" scheme for other stuff too down the > line.
I wonder what the minimum requirement for StatAuths would be. Is one StatsAuth too few? With only one, the statistics could be arbitrarily altered by that one, but privacy is still not at risk. Would two be acceptable if one is not? It would be nice to have a fairly minimal infrastructure for this, and I agree that it might be better to avoid loading the DirAuths with more functions. Also, I had stated that the trust assumption on StatAuths was that all could be curious but one should also be honest. Actually, that wasn’t correct because one malicious StatAuth could refuse to issue tokens to some relays, thereby preventing them from getting any stats accepted. Instead, the relays should require tokens (i.e. blind signatures) from a *majority* of StatAuths. Then an honest majority is required to prevent malicious manipulation of the statistics. Cheers, Aaron _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
