Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a02923122e
Branches Tags
tor
/
doc
/
spec
/
proposals
/
139-conditional-consensus-download.txt

139-conditional-consensus-download.txt 3.5 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 
  1. Filename: 139-conditional-consensus-download.txt
    2. 

  2. Title: Download consensus documents only when it will be trusted
    3. 

  3. Author: Peter Palfrader
    4. 

  4. Created: 2008-04-13
    5. 

  5. Status: Closed
    6. 

  6. Implemented-In: 0.2.1.x
    7. 

  7. 

  8. Overview:
    9. 

  9. 

  10.   Servers only provide consensus documents to clients when it is known that
    11. 

  11.   the client will trust it.
    12. 

  12. 

  13. Motivation:
    14. 

  14. 

  15.   When clients[1] want a new network status consensus they request it
    16. 

  16.   from a Tor server using the URL path /tor/status-vote/current/consensus.
    17. 

  17.   Then after downloading the client checks if this consensus can be
    18. 

  18.   trusted.  Whether the client trusts the consensus depends on the
    19. 

  19.   authorities that the client trusts and how many of those
    20. 

  20.   authorities signed the consensus document.
    21. 

  21. 

  22.   If the client cannot trust the consensus document it is disregarded
    23. 

  23.   and a new download is tried at a later time.  Several hundred
    24. 

  24.   kilobytes of server bandwidth were wasted by this single client's
    25. 

  25.   request.
    26. 

  26. 

  27.   With hundreds of thousands of clients this will have undesirable
    28. 

  28.   consequences when the list of authorities has changed so much that a
    29. 

  29.   large number of established clients no longer can trust any consensus
    30. 

  30.   document formed.
    31. 

  31. 

  32. Objective:
    33. 

  33. 

  34.   The objective of this proposal is to make clients not download
    35. 

  35.   consensuses they will not trust.
    36. 

  36. 

  37. Proposal:
    38. 

  38. 

  39.   The list of authorities that are trusted by a client are encoded in
    40. 

  40.   the URL they send to the directory server when requesting a consensus
    41. 

  41.   document.
    42. 

  42. 

  43.   The directory server then only sends back the consensus when more than
    44. 

  44.   half of the authorities listed in the request have signed the
    45. 

  45.   consensus.  If it is known that the consensus will not be trusted
    46. 

  46.   a 404 error code is sent back to the client.
    47. 

  47. 

  48.   This proposal does not require directory caches to keep more than one
    49. 

  49.   consensus document.  This proposal also does not require authorities
    50. 

  50.   to verify the signature on the consensus document of authorities they
    51. 

  51.   do not recognize.
    52. 

  52. 

  53.   The new URL scheme to download a consensus is
    54. 

  54.   /tor/status-vote/current/consensus/<F> where F is a list of
    55. 

  55.   fingerprints, sorted in ascending order, and concatenated using a +
    56. 

  56.   sign.
    57. 

  57. 

  58.   Fingerprints are uppercase hexadecimal encodings of the authority
    59. 

  59.   identity key's digest.  Servers should also accept requests that
    60. 

  60.   use lower case or mixed case hexadecimal encodings.
    61. 

  61. 

  62.   A .z URL for compressed versions of the consensus will be provided
    63. 

  63.   similarly to existing resources and is the URL that usually should
    64. 

  64.   be used by clients.
    65. 

  65. 

  66. Migration:
    67. 

  67. 

  68.   The old location of the consensus should continue to work
    69. 

  69.   indefinitely.  Not only is it used by old clients, but it is a useful
    70. 

  70.   resource for automated tools that do not particularly care which
    71. 

  71.   authorities have signed the consensus.
    72. 

  72. 

  73.   Authorities that are known to the client a priori by being shipped
    74. 

  74.   with the Tor code are assumed to handle this format.
    75. 

  75. 

  76.   When downloading a consensus document from caches that do not support this
    77. 

  77.   new format they fall back to the old download location.
    78. 

  78. 

  79.   Caches support the new format starting with Tor version 0.2.1.1-alpha.
    80. 

  80. 

  81. Anonymity Implications:
    82. 

  82. 

  83.   By supplying the list of authorities a client trusts to the directory
    84. 

  84.   server we leak information (like likely version of Tor client) to the
    85. 

  85.   directory server.  In the current system we also leak that we are
    86. 

  86.   very old - by re-downloading the consensus over and over again, but
    87. 

  87.   only when we are so old that we no longer can trust the consensus.
    88. 

  88. 

  89. 

  90. 

  91. Footnotes:
    92. 

  92.  1. For the purpose of this proposal a client can be any Tor instance
    93. 

  93.     that downloads a consensus document.  This includes relays,
    94. 

  94.     directory caches as well as end users.
    95.