[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] HS v3 client authorization types



Hi,

On 04/28/2018 06:19 AM, teor wrote:
>> Or should we require the service to enable both for all clients?
>>
>> If you want to let the service be able to enable one while disable the
>> other, do you have any opinion on how to configure the torrc?
> 
> If someone doesn't understand client auth in detail, and just wants
> to be more secure, we should give them a single option that enables
> both kinds of client auth. (Security by default.)
> 
> OnionServiceClientAuthentication 1
> (Default: 0)
> 
> If someone knows they only want a particular client auth method,
> we should give them another option that contains a list of active
> client auth methods. (Describe what you have, not what you don't
> have, because negatives confuse humans.)
> 
> OnionServiceClientAuthenticationMethods intro
> (Default: descriptor, intro)


Do you have any opinion on specifying the client names in your
recommendation? and the list of client names in "descriptor" and "intro"
should be independent.

However, what i am currently think of is that we can use the existing
format.

HiddenServiceAuthorizeClient auth-type client-name,client-name,...

But instead of allowing only two auth-types "descriptor" and "intro", we
allow another type called "default" which includes both "descriptor" and
"intro"

So if I put an option:
HiddenServiceAuthorizeClient default client-name,client-name,...

It will be equivalent to two lines of:
HiddenServiceAuthorizeClient descriptor client-name,client-name,...
HiddenServiceAuthorizeClient intro client-name,client-name,...

And on the client side, if I put an option:
HidServAuth onion-address default x25519-private-key ed25519-private-key

It will be equivalent to two lines of:
HidServAuth onion-address descriptor x25519-private-key
HidServAuth onion-address intro ed25519-private-key


What do you all think?

Cheers,
haxxpop

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev