[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #20969 [Core Tor/DocTor]: Detect relays that don't update their onion keys every 7 days.



#20969: Detect relays that don't update their onion keys every 7 days.
---------------------------------+--------------------
     Reporter:  dgoulet          |      Owner:  atagar
         Type:  enhancement      |     Status:  new
     Priority:  Medium           |  Milestone:
    Component:  Core Tor/DocTor  |    Version:
     Severity:  Normal           |   Keywords:
Actual Points:                   |  Parent ID:
       Points:                   |   Reviewer:
      Sponsor:                   |
---------------------------------+--------------------
 This is related to #20055 which would be an important thing to monitor for
 the health and security of the network.

 There are multiple things here that can be or should be checked.

 The `onion-key` field is an RSA key so DocTor will need to keep a
 persistent database of those over time (only used for TAP handshake).

 The `ntor-onion-key` field also can be monitored the same as the RSA key.

 If the `ntor-onion-key-crosscert` field is present, you'll get a timestamp
 for free in the certificate which should have the `exp_field` set to the
 last published time + 7 days.

 In any case, a router SHOULD NOT have either a TAP or ntor onion key
 _more_ than 7 days as this is hardcoded in Tor. If they do, it could be
 another implementation but finding them would be good so we can warn/ask
 them to fix. Or better, detect bugs as well on tor implementation that
 could keep those for a longer time.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20969>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs