Timing and size will get you very far, especially as smaller packets are used for TCP set up. This is a worry with good faith TOR servers and malicious upstreams, even with multiple hops. It's certainly doable for a single machine where you're directly watching its network card.
Sure, but I'm not proposing a mitigation for that. It doesn't have to be a silver bullet to be useful. I'm arguing that the ability to know that your peer is running some expected code is useful as an extra layer of security for some use cases.
But it's already generally accepted that RA is useful as an extra layer of security in many cases.
The problem is that this layer of "security" steps over the traditional demarcation point of the protocol, destroying the customary separation of authority. So examples of "good things" that could be done with it aren't particularly relevant to the larger discussion about the threat posed by its widespread adoption with manufacturer-escrowed keys.
If owners controlled their devices' keys, we could still have things like auditing organizations that enrolled the servers of VPN providers. So that you could verify a remote computer was running specific code, reliant on your trust in the auditor. But with the current design, those auditors are the device manufacturers themselves and the ability to inspect is applied universally across every device. This will inevitably be abused to make less powerful parties less secure and undermine their own interests. That is the problem.
