Skip to content

Directory authority expectations

The Tor directory authorities make up an independent body responsible for keeping the Tor network operating and safe.

The directory authorities together act as a trust anchor for the Tor network. Their main task is to ensure that there is a single unified view of the network at any given time, so users can have confidence that they're using the same set of relays as many other users.

Priorities

Making and maintaining this unified view involves four key reliability/safety characteristics that we expect from each directory authority:

  1. Keep the service available. Individual authorities can go down from time to time due to maintenance or other surprises, but we need most authorities online most of the time. Availability also means having enough spare capacity/resources to still work well enough when under attack.

  2. Be responsive as an operator. While originally the role of directory authority operators was more passive, as Tor has become more popular and as it has attracted more and newer attackers, we are increasingly discovering new attacks and new attackers that require a quick response at the directory authorities to keep users safe.

  3. Have integrity. A single bad directory authority shouldn't be able to do much harm, but a few acting together can. The scope of what integrity means is broad. It encompasses:

    1. transparency, which means operating in a way where configuration choices and other decisions are transparent to others. We acknowledge the conflict between transparency and having a small set of directory authority operators in a large dynamic public network. Each directory authority operator should strive to err on the side of more transparency to the diverse groups involved in the Tor network and its operation (relay operators, users, network health) in the balance between openness and the Tor network's security. Full transparency should be given among the set of directory authority operators, while some details of the operation of the network (like bad relay detection or the full set of bridges) need to remain protected from bad actors (bad relay operators, censors).
    2. resisting external threats to the safety of users or the network, such as attempts to obtain keys or mark many relays as offline.
    3. having accountability for doing their part to ensure that the network stays safe, and for making intentional decisions to produce the best network they can, both in the short term and the long term.

  4. Balance maximizing network capacity with excluding bad relays. The Tor network generally becomes stronger and safer as we add more relays, but there are cases where relays undermine safety rather than contribute to it. The directory authorities should work to exclude relays that are a net harm to the network.

Bad relays can be doing active attacks (e.g. to modify traffic) or passive attacks (e.g. to observe or correlate traffic). While sometimes it is clear that a relay is misbehaving, in other cases it is not obvious, and we need to use whatever clues we have available to us (such as interactions with the relay operator, past history with the relay's ISP, or other signals) as well as advice from the Tor Network Health team and other researchers. Ultimately in these cases it comes down to a judgment call on whether each relay is a net help or a net harm to the network.

Supporting tools

Operating a modern directory authority includes running a set of peripheral tools, such as a bandwidth authority. Since these peripheral tools can significantly influence the authority's contribution to the overall consensus, the directory authority operators should treat their security/robustness with the same care as they treat the primary directory authority service.

Membership and scope

The directory authorities as a group collectively decide on who is a directory authority, including when and who to add or remove.

Size The set of authorities should be large enough to have good robustness in the face of individual failures, but also small enough to keep coordination manageable. We currently think that around ten authorities is a reasonable number.

Resilience We should avoid situations that make it likelier for multiple authority failures to happen at the same time. While in an ideal world the directory authorities would achieve complete diversity in all ways (geographic locations, jurisdictions, operating systems, system architectures, system libraries, Tor software versions, Tor protocol implementations, operator backgrounds and skills and communities, etc), in practice, especially with the small set of authorities, we need to prioritize the aspects of diversity that best help us achieve the four goals above.

Independence Because the primary priority of the Tor network is user safety, and because the Tor design achieves this priority mainly through distributed trust, we especially need to avoid situations where other entities have the power to dictate which relays or other information the directory authorities collectively list in the consensus. More generally, independence also means avoiding situations where external entities can dictate how each directory authority operator goes about achieving and balancing the above four goals.

Note that these principles of resilience and independence don't mean that the Tor directory authority operators have unbounded power. Like the developers who maintain the Tor software, the directory authorities are ultimately accountable to the Tor users. That means we need to choose authority operators who are well-established and trusted members of the internet security and privacy world, and in turn they need to act in ways that maintain the trust of the users. Ultimately, if directory authority operators lose the trust of the community, they can be replaced by the developers or users altogether.

Similarly, because part of properly distributing trust is making sure that Tor as an organization doesn't have the ability to deanonymize Tor users, we need to limit to a small minority the number of authority operators who have a conflict of interest, such as being employed by Tor or serving on the Tor board. The directory authority operators need to be able to trust each other in being transparent about their configuration and setup choices and communicate openly with each other.

Many groups within the Tor ecosystem share overlapping responsibility for user safety. These include the directory authority operators, relay operators, Tor software developers, the non-profit organization that employs some of them, the Communications and Community teams, the Network Health team, and the Community Council. All of these groups need to collaborate effectively.

This does not mean every group must be informed about every issue or make decisions on all user safety matters. Rather, each group focuses on specific aspects of user safety. When there is overlap, all relevant stakeholders should participate in discussions and decision-making. The structure of this process depends on formal or informal agreements among the stakeholders, which are outside the scope of this document.

Details about how directory authority operators achieve the above goals (such as how to achieve priority 4, excluding relays that are a net harm to the network) will be specified in future policy documents. These policies will incorporate requirements from the Network Health and Community teams at Tor, as well as input from other stakeholders.