What will the deliberation process look like? Will community input be considered? Is there a formal process for this? If not, I think now is the time to create one (and I think transparency is essential here).
Hi cypherpunks, thanks for the tracking ticket. As Roger said we've already discussed this a little.
Directory authority changes require a tor release and as such there's no big rush. We'll likely need to find a replacement authority to keep the odd count so this will take a little thought.
Bah, thought we had an entry for this on the FAQ but evidently not. :(
Roger, would you or another authority operator mind writing one?
Directory authorities are operated by folks highly known and respected within this community, with a bias toward spreading out across geographic and geopolitical boundaries (particularly with regard to its hosting location). The present authority operators will probably discuss this among themselves soon.
Maybe I'm just too tired, but I count 10 entries in default_authorities. What am I missing?
Very understandable point of confusion - this puzzles lots of folks. Tonga does not vote in the consensus (it lacks a v3ident, only being used for bootstrapping and as the bridge authority).
I have read that or something substantially similar before; I just couldn't find it.
My question is a bit more specific, though: what is the ultimate process to add or remove a dirauth? Do all current dirauths vote in an IRC channel, and then someone commits the change? Is there an informal discussion and then (e.g.) Roger just commits (or not) whatever he wants? Or is it that a formal process is what you were referring to in, "The present authority operators will probably discuss this among themselves soon."?
Also, why is this all being discussed in private? I think the Tor community has a strong interest in, at the very least, visibility into the dirauth vetting/expulsion process, as well as the internal discussion about setting up that process.
Or am I wrong? Is this discussion actually being held somewhere public where I can join?
urras is the dirauth Jake runs. Of course, dirauths must be fully trusted. Recent events (which should be discussed elsewhere) have cast doubt on urras' trustworthiness. Now, I am not in any rush to kick urras out. It has been (AFAIK) well-behaved up until now, and there's a reason we have a consensus vote.
However, now is the time for the Tor Project to forumlate and publish a procedure, so in this case and in the future there is a neutral, transparent and not-so-arbitrary way to add or remove a dirauth.
I am very uncomfortable with the current procedure, which appears to be, "Current Tor Elites/dirauths meet and decide in a smoke-filled mailing list". The opacity and secrecy surrounding the dirauths--one of the most important, if not the most important, foundations of trust in Tor--worries me very much.
Has anything new happened in the apparently TOP SECRET discussion? The silence--about the ticket title and about the procedures--is deafening. Why is the Tor Project squandering trust like this?
Nope, no new developments here. Again, there's no great rush. Maybe the dirauths will discuss it soon, or maybe it'll be deferred until the developer meeting in September. Not sure - Roger has a lot of things in the air, most of which are far more important than this.
Personally I like the idea of greater dirauth transparency but I'm not a dirauth operator, so I can't comment on that front.
@arma: Thank you! That's a great start to what I'm looking for. And just to clarify: the timeline for removing (or not) urras isn't what worried/worries me. The silence is.
IMO there needs to be:
a formal procedure for making the final decision (e.g. "Roger initiates a vote on ; dirauths have 3 days to vote yes or no via PGP-signed email; a quorum of 7 votes is sufficient to make a decision; lack of quorum => no change")
a formal procedure for removing dirauths (rules will be different to accommodate excluding the instant dirauth from voting)
more inclusive and transparent voting process (i.e. figure out some way to take community input)
These are probably better as separate issues. Shall I create tickets for these and leave this ticket for tracking the issue in the title?
Certainly makes sense. We can probably leave this as the tracking ticket for now but maybe break it up later. I forwarded this ticket to the dirauths to give a little thought to.
I'm one of the current dirauth ops. Getting anything less than full consensus is not sufficient for the sane operation of the network. Making individual tickets to create formal procedures won't work better than this ticket.
By consensus I meant consensus amongst dirauth operators, not the actual voting performed by Tor.
dirauth ops have to trust each others judgment, responsiblity in operating the dirauth, performing certain actions at certain times, etc. We already have many technical failure modes and any kind of mistrust amongst the dirauth ops adds a situation where it'll become easier to undermine the security of the network by undermining the security of less than half of the dirauths, which is something we do not want to happen.
The process is that we're looking at candidates, making sure they have the technical capability and experience of running a Tor relay for some time, are able to earn trust from the Tor community at large as well as the dirauth operators community. Then the dirauth ops add them to their configuration and their details are added to the Tor consensus.