Better support for ephemeral relay identity keys
Tagging-based amplification attacks are primarily an issue of node integrity. For the most part, they are impossible to perform if you are external to the tor network, and they are detectable if the adversary's proportion of compromised nodes on the network is low, due to excessive circuit failure at non-colluding nodes.
However, this all changes if most nodes have easily accessible identity keys. All the adversary need do is make a quick stop at each high capacity tor relay, freeze the ram/reboot the box, and extract the keys. From that point on, the adversary is free to intercept and tag traffic transparently upstream. Worse, as the adversary performs this procedure at more and more nodes, their circuit failure rate will fall. At least according to the math of some dude who claims to be a raccoon: https://lists.torproject.org/pipermail/tor-dev/2012-March/003361.html
I believe the best stopgap solution to this (at least until whatever comes out of #5460 (moved) is deployed) is to encourage relay operators to keep their relay keys on a ramdisk, so they are discarded in the event of reboot. This would at least require the adversary to retain persistent access to the machine, which risks discovery via auditing mechanisms.
Unfortunately, there are a few issues with how Tor treats relay identity keys that makes it extremely inconvenient for relay operators if they ever change.
This ticket is to serve as the parent ticket for enumerating these inconveniences.