On Fri, Dec 30, 2016 at 10:36 PM, Bill Cox wrote:

One problem is shills. IIUC, TOR has a problem where an attacker can create a ton of nodes that collude. TOR could be > 50% shills and we would not know. Is this something that could be implemented effectively with the dreaded web of trust?

Yes. It has been repeatedly brought up among tor that relay operators, being globally spread and relatively physically mobile for the purpose of keysigning, can cross sign their node keys with gpg keys, have their gpg keys signed in person under proof of relay ownership as usual, dump the fingerprints into the consensus and sks, then build relay selection algorithms that download and verify the wot into user run tools that then build their circuits in the controller. Users can elect to use variant levels of trust present in the wot, anon / nym / context signing, ID signing, photo signing, multisig assertions, etc. Beyond just the wot, all sorts of other external metrics, even subscriptions to third party metrics services, could be applied to such a relay selection process. 7000 relays, even at low 10% shill and 1:1 would require 700 unique persons of the adversary that pass the smell test of other operators and principals, that has real costs. Or your allies just supply the number of validated nodes needed to prevent network saturation and users simply decline to route anything but CNN and gerbil pr0n through the 700 unvalidated nodes. Pretty simple really, needs nothing more than one structured comment field in the consensus and some external tools, but nobody has rolled it out or even developed concept further yet.