[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #11457 [Tor]: Making a signing cert in the future will make everybody discard your real signing cert and then want it again



#11457: Making a signing cert in the future will make everybody discard your real
signing cert and then want it again
--------------------+------------------------------------
 Reporter:  arma    |          Owner:
     Type:  defect  |         Status:  new
 Priority:  normal  |      Milestone:  Tor: 0.2.6.x-final
Component:  Tor     |        Version:
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
--------------------+------------------------------------
 Run an authority, with a normal signing authority_certificate. Then move
 your date into the future (has to be more than one week in the future),
 and generate and use another signing cert. Relays, clients, and other
 directory authorities will smoothly upgrade to your new one, and (barring
 issues like #11454) throw out your old signing cert.

 Then throw out your shiny new one, and go back to the one you had been
 using. Other Tors (dir auths, relays, clients) will say "oh hey, a
 signature from a cert I don't recognize, let me fetch that". So far so
 good.

 Then 60 seconds later they'll discard this cert, because they know a newer
 one. Oops.

 But this is where is gets good. Your authority discards this older cert
 too. So do other authorities. And relays.

 And then everybody wants a copy and nobody has one, so every 60 seconds
 everybody asks the next layer up in the dir hierarchy. Everybody's logs
 are filled with
 {{{
 Apr 09 03:44:55.000 [warn] Received http status code 404 ("Not found")
 from server '127.0.0.1:3002' while fetching "/tor/keys/fp-sk
 /AD23D263206B997C73AF9B488322E91766748C2C-
 4335577168B0C0C22AC4A1A0707DD72F41CC8DA6".
 }}}
 each minute.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11457>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs