It's not so simple some external mechanism needs to prevent sibyl attacks, otherwise I spin up tons of 'servers' and do nasty things.
The number of servers doesn't matter. What matters is the number of keys you have that other people have chosen to trust.
Hm. Maybe I should call Ripple's general class of consensus algorithm "Crony Consensus".
We have a lot of ideas for how to manage this. But we won't get to decide. We can put forth our solution and people will be free to use it or not. Over time, this will probably need to evolve.
We have several different ideas. Here are three of them:
1) Domains can publish lists of validators at a known URL. You can choose domains to trust. You periodically refresh the list of validators and extend trust based on how many such lists a key appears on. (This is essentially the current model.)
2) When you browse the web, your client could check for domains you were visiting that offer validator lists and then you could click to add their published list of validators to your own.
3) People who use the Ripple system, such as major gateways, could run validators and publish lists of validators (including their own) that they assert are not under common administration.
You genuinely want to find as many validators as you can that are not under common administration. You want to do whatever you can to avoid "cronies". The only failure mode is if you wind up trusting a bunch of conspirators.