[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #11458 [Tor]: A newer signing cert should innoculate us against older ones?



#11458: A newer signing cert should innoculate us against older ones?
----------------------------+------------------------------------
 Reporter:  arma            |          Owner:
     Type:  enhancement     |         Status:  new
 Priority:  normal          |      Milestone:  Tor: 0.2.6.x-final
Component:  Tor             |        Version:
 Keywords:  needs-proposal  |  Actual Points:
Parent ID:                  |         Points:
----------------------------+------------------------------------
 Sometime in the past year or two somebody might have stolen 7 of the 9
 active directory signing keys. They don't expire for several months or
 more.

 If the existing directory authorities rotate to new signing keys, that
 doesn't really change the fact that older ones remain valid.

 If we change Tor to look at its cached-certs and refuse to believe in a
 signing key if it's convinced there's a newer one, then we can invalidate
 older ones by generating newer ones.

 That approach wouldn't protect users who are bootstrapping for the first
 time, but it would protect them if they'd already bootstrapped. Is this a
 worthwhile improvement?

 Note that we'd have to sort out edge cases like #11457 -- basically in
 this case it would mean that if you ever generate a signing key too far in
 the future and then also want to go back to an earlier one, you're fucked.
 But has anybody ever needed to do that?

 To tolerate rotation better, we'd want the logic to be something like the
 suggested fix in #11454: only disbelieve a cert if a) we have a newer one
 and b) the one we're disbelieving is sufficiently older than now.

 We could also think about shipping with a cached-certs file to keep
 raising the bar as users upgrade.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11458>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs