[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] [tor-assistants] Python metrics-lib
On 5/8/12 4:47 AM, Robert Ransom wrote:
> On 5/8/12, Beck Chen <csybeck@xxxxxxxxx> wrote:
>
>> According to the outline, the long-term identity key should be different
>> from the
>> signing key, which changes every 3-12 months. Then why should the signing
>> key
>> become the identity key in the descriptor format, and fingerprint become
>> the hash
>> of the identity key?
>
> The ârelay identity keyâ is not the same as the âauthority identity
> keyâ. The ârelay identity keyâ might also be different from the
> âdirectory signing keyâ; I'm not sure about that.
Relay identity key and directory signing key are indeed different.
Think of the authority identity key and directory signing key as a
different layer on top of stuff that all relays do. When a relay
becomes a directory authority, the operator creates an offline authority
identity key and uses it to create an online directory signing key.
When the directory signing key expires, which usually happens once per
year, the operator creates a new one using the authority identity key
and uploads it. The relay identity key and authority identity key
usually stay the same for a long time.
For example, here are the long-term keys for gabelmoo (from
src/or/config.c):
"gabelmoo orport=443 no-v2 "
"v3ident=ED03BB616EB2F60BEC80151114BB25CEF515B226 "
"212.112.245.170:80 F204 4413 DAC2 E02E 3D6B CF47 35A1 9BCA 1DE9 7281",
The ED03... part is the hash of the authority identity key, the F204...
part is the relay identity. The directory signing key is not
hard-coded. You can find all directory signing keys here:
https://metrics.torproject.org/data/certs.tar.bz2
Best,
Karsten
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev