[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 230: How to change RSA1024 relay identity keys

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposal 230: How to change RSA1024 relay identity keys
From: Ian Goldberg <iang@xxxxxxxxxxxxxxx>
Date: Tue, 15 Apr 2014 14:30:22 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 15 Apr 2014 14:31:21 -0400
In-reply-to: <CA+CHzS-8jguoWeqOyjg48UG=6qPnmRu7dbrwzNn6k5u-0SMsyw@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuwnScLfwTpkoJdYFNyCAy2o3WUbg_mrxzDLKkrdk_6wWg@xxxxxxxxxxxxxx> <CA+CHzS-8jguoWeqOyjg48UG=6qPnmRu7dbrwzNn6k5u-0SMsyw@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

On Tue, Apr 08, 2014 at 02:15:12PM -0500, Nicholas Hopper wrote:
> > 4. Interface
> >
> >    To use this feature, a router should rename its secret_id_key
> >    file to secret_id_key_OLD.  The first time that Tor starts and
> >    finds a secret_id_key_OLD file, it generates a new ID key if one
> >    is not present, and generates the text of the old-rsa-1024-id-key
> >    and old-rsa1024-id-migration fields above.  It stores them in a
> >    new "old_id_key_migration" file, and deletes the
> >    secret_id_key_OLD file.  It includes them in its desecriptors.
> 
> I guess it's possible a relay operator could shoot themselves in the
> foot here by causing some inconsistent state between these three
> files.  I guess at worst, though, this should again be a case where
> the window of vulnerability is small, so very few (or possibly no)
> relays would lose their history this way.

I'm a little wary of having the tor binary perform an irrevocable
operation like deleting the old key file.  Maybe have it rename it?  Or
only delete the file once the migration has appeared (and the signatures
verified) in a consensus or five?

   - Ian
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Proposal 230: How to change RSA1024 relay identity keys
  - From: Nick Mathewson
- Re: [tor-dev] Proposal 230: How to change RSA1024 relay identity keys
  - From: Nicholas Hopper

Prev by Author: Re: [tor-dev] Moving ownership to TheTorProject
Next by Author: Re: [tor-dev] GSoC: Implement consensus diffs
Previous by thread: Re: [tor-dev] Proposal 230: How to change RSA1024 relay identity keys
Next by thread: [tor-dev] Proposal 231: Migrating authority RSA1024 identity keys
Index(es):
- Author
- Thread