[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] proposal 240: Early signing key revocation for directory authorities.

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] proposal 240: Early signing key revocation for directory authorities.
From: Nick Mathewson <nickm@xxxxxxxxxxxx>
Date: Sun, 11 Jan 2015 13:24:03 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 11 Jan 2015 13:24:16 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=61WEsDtbxYEVMGHCcwShsNvOqR9oucVJn8lRMM5LCEQ=; b=u9MWnEDe5KycW0n2jKqg/1NpzX1amIsoJO0SYGw74OOiqu1t7lLfLHErBZ6a8YJ6lh efytY8tUnoaAnf/GVntDJsUjLeXv6Eav4t2JNmwHo9dKIh0CJ214iTMl30VeXnmVm/CK HF43V9Faqri6qcPFEPNcJdWvqJpZfZhofBjtwzdamdl5wTFzwdb2E8TdJKY/cZJEKVyz rkO9QWC6B4UWxqwTUHMXYHkIJW5fGCNiaSzHuxEeNosFmvoRNwY3iFPu59MgZUnE7yMC C7hYbCIrf0aAOD6LHhiZITVVBXxCFnLrOAxwHGiPq1XWTe0MiulbDmKrIhPRbGUIicKy dMQw==
In-reply-to: <20150111113325.GG30825@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuwc1PbvmH-WN0K22BMov0iFr+auH2AhwLtBjPFh5Zf56g@xxxxxxxxxxxxxx> <20150111113325.GG30825@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Sun, Jan 11, 2015 at 6:33 AM, Ian Goldberg <iang@xxxxxxxxxxxxxxx> wrote:
> On Sat, Jan 10, 2015 at 03:46:32PM -0500, Nick Mathewson wrote:
>> 5. Circular revocation
>>
>>    My first attempt at writing a proposal here included a lengthy
>>    section about how to handle cases where certificate A revokes the key
>>    of certificate B, and certificate B revokes the key of certificate A.
>>
>>    Instead, I am inclined to say that this is a MUST NOT.
>
> You still have to tell clients what to do if they see that situation.
>
> A little while back, agl and I were discussing X.509 revocation, and we
> came to the tentative conclusion that by allowing for the recovation of
> certificates that revoke other certificates, and multiple signatures on
> certificates, determining whether a certificate was valid could actually
> be formally incomputable in general.

Hm.  What do you think of Peter's idea for "newer revokes older" then?
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] proposal 240: Early signing key revocation for directory authorities.
  - From: Nick Mathewson
- Re: [tor-dev] proposal 240: Early signing key revocation for directory authorities.
  - From: Ian Goldberg

Prev by Author: Re: [tor-dev] proposal 240: Early signing key revocation for directory authorities.
Next by Author: Re: [tor-dev] lifespan of deprecated "ORListenAddress" configuration option
Previous by thread: Re: [tor-dev] proposal 240: Early signing key revocation for directory authorities.
Next by thread: [tor-dev] Request to reschedule ooni dev meeting to Tuesday 13th
Index(es):
- Author
- Thread