I'm far from an expert on Tor, but:
> The key is that they will be programmed to redirect users towards the backup DirAuths servers only once the backup plan
> has been activated. Before this happens, no one should possibly be able to learn the locations of the backup DirAuths from > these public Gateways.
Assuming a software update isn't required to 'activate' these gateways in the event of a compromise (and if it is, new DirAuths could just as easily be pushed that way - as is the case now).
Whilst the code on the 'gateways' might be encrypted, will anything be needed client side to handle the redirect? If so, what's to stop an adversary from using the client codebase to develop something 'good enough' to trigger a redirect to their malicious DirAuths.
I'm assuming you'd send a message signed with a specific key and have the client verify it? What happens if the Gateways (which the client's presumably know about) are also seized/compromised after the relevant keys have been delivered to them?
In terms of a trust model, assuming the keys for the Gateways are compromised (or a weakness in the implementation found giving the same effect), presumably the response of the Gateways overrides the 10 DirAuths? Potentially reducing the effort needed for an attack to 3 or 4 gateway machines?
I'm not poking holes in your idea, it's more it's caught my interest and raised a few questions in my mind.
10 Servers spread around different jurisdictions is still quite a challenge to mount, though not impossible (though as I understand it, as it's consensus based, they don't need all 10).
But given the widespread effect it would have, they'd have to be able to support the argument that interfering with the routing of every Tor user was reasonable in their stated goal - that'd probably carry in some jurisdictions, but is unlikely to in others.
> A careful and knowledgeable examination of the different state jurisdictions concerning warrant authorization, or eventually
> known habits to bypass them, etc...
I've no idea whether the operators of the DirAuth's have looked at this (though I'd be surprised if some haven't) but looking at the processes used (or ignored) in the relevant countries definitely seems like a worthwhile effort to me.