Reject proposal 134

doc/spec/proposals/000-index.txt

@@ -54,7 +54,7 @@ Proposals by number:
 131  Help users to verify they are using Tor [NEEDS-REVISION]
 132  A Tor Web Service For Verifying Correct Browser Configuration [DRAFT]
 133  Incorporate Unreachable ORs into the Tor Network [DRAFT]
-134  More robust consensus voting with diverse authority sets [ACCEPTED]
+134  More robust consensus voting with diverse authority sets [REJECTED]
 135  Simplify Configuration of Private Tor Networks [CLOSED]
 136  Mass authority migration with legacy keys [CLOSED]
 137  Keep controllers informed as Tor bootstraps [CLOSED]
@@ -115,7 +115,6 @@ Proposals by status:
    110  Avoiding infinite length circuits [for 0.2.1.x] [in 0.2.1.3-alpha]
    117  IPv6 exits [for 0.2.1.x]
    118  Advertising multiple ORPorts at once [for 0.2.1.x]
-   134  More robust consensus voting with diverse authority sets [for 0.2.2.x]
    140  Provide diffs between consensuses [for 0.2.2.x]
    147  Eliminate the need for v2 directories in generating v3 directories [for 0.2.1.x]
    157  Make certificate downloads specific [for 0.2.1.x]
@@ -167,3 +166,5 @@ Proposals by status:
    120  Shutdown descriptors when Tor servers stop
    128  Families of private bridges
    142  Combine Introduction and Rendezvous Points
+ REJECTED:
+   134  More robust consensus voting with diverse authority sets

doc/spec/proposals/134-robust-voting.txt

@@ -2,8 +2,10 @@ Filename: 134-robust-voting.txt
 Title: More robust consensus voting with diverse authority sets
 Author: Peter Palfrader
 Created: 2008-04-01
-Status: Accepted
+Status: Rejected
-Target: 0.2.2.x
+
+History:
+  2009 May 27: Added note on rejecting this proposal -- Nick
 
 Overview:
 
@@ -103,3 +105,19 @@ Possible Attacks/Open Issues/Some thinking required:
  Q: Can this ever force us to build a consensus with authorities we do not
     recognize?
  A: No, we can never build a fully connected set with them in step 3.
+
+------------------------------
+
+I'm rejecting this proposal as insecure.
+
+Suppose that we have a clique of size N, and M hostile members in the
+clique.  If these hostile members stop declaring trust for up to M-1
+good members of the clique, the clique with the hostile members will
+in it will be larger than the one without them.
+
+The M hostile members will constitute a majority of this new clique
+when M > (N-(M-1)) / 2, or when M > (N + 1) / 3.  This breaks our
+requirement that an adversary must compromise a majority of authorities
+in order to control the consensus.
+
+-- Nick

doc/spec/proposals/reindex.py

@@ -4,7 +4,7 @@ import re, os
 class Error(Exception): pass
 
 STATUSES = """DRAFT NEEDS-REVISION NEEDS-RESEARCH OPEN ACCEPTED META FINISHED
-   CLOSED SUPERSEDED DEAD""".split()
+   CLOSED SUPERSEDED DEAD REJECTED""".split()
 REQUIRED_FIELDS = [ "Filename", "Status", "Title" ]
 CONDITIONAL_FIELDS = { "OPEN" : [ "Target" ],
                        "ACCEPTED" : [ "Target "],