[tor-talk] Questions about Directory Authority Servers

grarpamp grarpamp at gmail.com
Mon Oct 15 16:48:42 PDT 2018

On 10/15/18, panoramix.druida <panoramix.druida at protonmail.com> wrote:
> Hi,
> From my understanding when a Tor proxy is started it downloads a list of
> relays from one of the ten  Directory Authority Servers listed here:
> https://metrics.torproject.org/rs.html#search/flag:authority
> Am I right?

There's a second helper layer to the DA's known as fallback servers.
However the DA's are still the root gatekeepers of the live network.
And the DA's are also subject to higher layers that reside outside
the live network...

> If so who run these servers and how the people running them are chosen? I
> would like to know a bit on the governance on how this authority servers are
> chosen.

Assuming more of analysis than operation question...

Observatories appear to show the servers as being
distributed around the world in various jurisdictions.
They're run by whoever they appear to be run by.
Both have a variety of potential attacks.

The "how chosen / removed" part is informal but
does have some written guidlines in torspec repo.
The existance of DA design function under humans
vs say distributed DHT, blockchain, AI, users clients,
whatever... is thought to have certan strengths.

Ultimately the fingerprints and IP's of the DA's are hardcoded
and commited into the source code, which exists in repositories
controlled by The Tor Project Inc, a corporation headquartered
in, and on the books of, the United States of America, ran on
continuum from open to closed fashion in various areas of
governance, participation, etc. There's a lot more that goes into
that. All of which various parts of the overall community
(corp, dev, users, operators, funders, etc) also hold various
opinions on (re DA's), no different than any other project.

In overall re: design / subject of DA's... it's thought by most
around Tor, a reasonably sound and working model, resistant
to at least casual attack en masse, at least so far as any
attack is publicly known to have occurred.

Also keep in mind that design of Tor / DA is roughly 20 years
old, thus having elements of both wisdom and legacy.

> What could go wrong if one or more of these servers are compromise?

Worst case?
Full discovery of end to end physical locations,
with concurrent compromise of traffic content.
General network disruption including complete shutdown.

Technical talk has been made over the years on if / should,
and how, the DA's might be eliminated from the design.

If the DA system is thought to be weak to various threats and
attack models, or there's preference for a fully independant,
distributed, and autonomous live network... people might
want to review some of those talks, or draft design changes,
or new overlay networks, or implement ones that are
still in whitepaper form [waiting for a dev team].

The Anonbib is one good source for research reading, as
are the materials and communities of other overlay networks.

Note also that most things "who, where, threat models"
regarding the DA's also apply to all the relays. And
there is not necessarily any PKI WoT, comms, or in person
relations between any given whole or subset[s] of them.
Perhaps there should be, or not, or in part, and why / how...

And that such subject questions, and their many fine and
possible answers surely both here and before from many folks,
are not unique to Tor... all the open overlay networks exhibit
at least some similar elements.

The code and networks are still active so... ignoring unknown
conspirators, malactors, Sybils, GPA / GAA, [quantum]
cryptanalysis, parallel constructions, etc... perhaps things
in the space are thought good enough. Or not.

One should never rest, because your adversaries will not.

It's a big space, there's always room for new ideas,
[better] solutions to old, hard, and new threats,
incorporating new tools and strategies that didn't
exist before, etc.

Have fun :)

More information about the cypherpunks mailing list