Almost. First, it's actually only the nine v3 directory authorities.
The tenth one you see there, Serge, is a bridge authority, which is
different. And second, modern Tor clients fetch from a much larger
list, called the fallback directories, which are 100 or so relatively
stable relays.

The v3 directory authorities are responsible for collectively creating
the hourly networkstatus document, but that doesn't mean they need to
be the bottleneck for serving it.

You can learn more about the various roles here:
https://www.torproject.org/docs/faq#KeyManagement
The simple answer is that we choose good people from among the core
Tor participant community.

You can learn more about the community here:
https://gitweb.torproject.org/community/policies.git/tree/

And more about our selection goals here:
https://gitweb.torproject.org/torspec.git/tree/attic/authority-policy.txt
In theory, not much happens if a minority of them are compromised. If
a majority are compromised, things start to go bad, for example because
the attacker could create their own competing networkstatus documents.

Overall the v3 directory design still seems like a win though in terms
of trust, compared to the more-complex more-decentralized approaches,
where the complexity brings in new attacks, e.g.:
https://www.freehaven.net/anonbib/#wpes09-dht-attack

--Roger

There's a second helper layer to the DA's known as fallback servers.
However the DA's are still the root gatekeepers of the live network.
And the DA's are also subject to higher layers that reside outside
the live network...
Assuming more of analysis than operation question...

Observatories appear to show the servers as being
distributed around the world in various jurisdictions.
They're run by whoever they appear to be run by.
Both have a variety of potential attacks.

The "how chosen / removed" part is informal but
does have some written guidlines in torspec repo.
The existance of DA design function under humans
vs say distributed DHT, blockchain, AI, users clients,
whatever... is thought to have certan strengths.

Ultimately the fingerprints and IP's of the DA's are hardcoded
and commited into the source code, which exists in repositories
controlled by The Tor Project Inc, a corporation headquartered
in, and on the books of, the United States of America, ran on
continuum from open to closed fashion in various areas of
governance, participation, etc. There's a lot more that goes into
that. All of which various parts of the overall community
(corp, dev, users, operators, funders, etc) also hold various
opinions on (re DA's), no different than any other project.

In overall re: design / subject of DA's... it's thought by most
around Tor, a reasonably sound and working model, resistant
to at least casual attack en masse, at least so far as any
attack is publicly known to have occurred.

Also keep in mind that design of Tor / DA is roughly 20 years
old, thus having elements of both wisdom and legacy.
Worst case?
Full discovery of end to end physical locations,
with concurrent compromise of traffic content.
General network disruption including complete shutdown.


Technical talk has been made over the years on if / should,
and how, the DA's might be eliminated from the design.

If the DA system is thought to be weak to various threats and
attack models, or there's preference for a fully independant,
distributed, and autonomous live network... people might
want to review some of those talks, or draft design changes,
or new overlay networks, or implement ones that are
still in whitepaper form [waiting for a dev team].

The Anonbib is one good source for research reading, as
are the materials and communities of other overlay networks.

Note also that most things "who, where, threat models"
regarding the DA's also apply to all the relays. And
there is not necessarily any PKI WoT, comms, or in person
relations between any given whole or subset[s] of them.
Perhaps there should be, or not, or in part, and why / how...

And that such subject questions, and their many fine and
possible answers surely both here and before from many folks,
are not unique to Tor... all the open overlay networks exhibit
at least some similar elements.

The code and networks are still active so... ignoring unknown
conspirators, malactors, Sybils, GPA / GAA, [quantum]
cryptanalysis, parallel constructions, etc... perhaps things
in the space are thought good enough. Or not.

One should never rest, because your adversaries will not.

It's a big space, there's always room for new ideas,
[better] solutions to old, hard, and new threats,
incorporating new tools and strategies that didn't
exist before, etc.

Have fun :)