[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] HS v3 client authorization types
- To: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-dev] HS v3 client authorization types
- From: Suphanat Chunhapanya <haxx.pop@xxxxxxxxx>
- Date: Thu, 10 May 2018 00:20:05 +0700
- Autocrypt: addr=haxx.pop@xxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFaU83wBEADElEh5UmB+WXTKh5zL1IrUNebyA/pOdNOjY3phosuG2Xdth76PMhvyPXVu /Jf8GWDuDXhMrAKTGBloUuqbLpQsj6BY2YhV7Tn1wEiSqXCJMK8NdwrQhkUWKiX/ioxL4r4R cP9IUtDKkSstLhU7vk+7TUdQFIw4Y+qsNT+IgOvqpxlkIdieYNfExOvzXB9aWtVPfbpZ32S/ zTfZ8LBNXV9jWwFrMPZTFh8Dc9wzYQ/ZQUg8OckNSHNCYPiY0/x3x/FW4abBSJ376fxdQJNt x6f9dnOL8KEhv670Vt4S/NnXSo+jW0lzoDgE3PhpchQ3EaD/CgEYGEiIa8tnHERGpVRvPzwc jw1j9Cp/nFJL4eNVO+oOk9Iorh2LLID1z8vU+hgtoZZHQBSh7Gv+CmaV6DYCKwVxKxZkLKdX LauaweS32ZORb/eTaruXhSGFLgNFwjgurbSLw3FtUIcz8k7n5T2sx00C6kffaH5fZ8q5vj15 w7+l1KI0qCRS8XGm4bcfimgToRD858qbdi1vEcgygzewzDtDex7NfElpcg3krgNZHcBmfRI2 BVNRmlZWjsQNZOp5OhC/XuPGmkSlsZFgymYxHl8rraNlJeobMDjN3XYXLOMFMTqptOoYmw54 Mr+cOnFAu9R0qReEjBXXrpeECMX/2F1DYvus9x/zAV8Mku8BZQARAQABzTNTdXBoYW5hdCBD aHVuaGFwYW55YSAoaGF4eHBvcCkgPGhheHgucG9wQGdtYWlsLmNvbT7CwXgEEwECACIFAlaU 83wCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGyq803SvUvTjF4QALoBadnJdTyJ /EcsqMCxysiQOqZNeppf3X/g/GHLLn52Y0XPud9JRXQRkBvLU2ax62N4vGtKT0WXhWKG5bgf pkH6rIRzKgJYtS4oYx6TjDKIQPK5Zup2XvqLtyxmssLCwKKXYqMurC/Vmzywq5nidOgdjD17 tO8PWGoSb4pm8XKm4cudhOaU+mF1B0tshjedBb3vSYnZ1Dmy3qOBx672ahU/L7ArIqOmH9+k 0FdeuQIjA4u0FU+p+JUZRVisqIkQP/gVc+5W1k/QqQm5gGFAtxD5mQ3eDvicd2aQ10NFRlTQ PTuFUfiouvNs5W6scaunv1IugSIbJY8e2fBSNkX+bf1vV4RXLC9CpZ+8YJoXB34LJRvHgkQ7 obL5A82mOG9ayMst3mDbJS8ASfZhKSliyXfo+W4XkPoOoSBAN7Sms/ZjMRXIAulbN0n5Pp8y xuCV1tL3ti7NxpvJEeTRBRmTawM3yGohX8rZiOdOFKuPvRCuUHUauASLacse8iTHwR1hYzuQ 1mv4hXo6RvOG0EUPUjEIHIIS3yFatXrTVpVr9DcgF8Dw+L2VaIqDg07GnunEyJ45YTMeJ5YG ZNngMhtDMf/diMIf9TOpUBohyeGLris3Opz3hkvn4zyeri2fCDzYkOi7dsgtqYox9HdYKj7a 80IBVWIOdT5nkJ1apAe4COwPzsFNBFaU83wBEAC3oeIL6xvJGo0VBSGrmXkbGBh3Q/wK0GLz YFZqGGAl1UuAPDGd5t8Z2QA+SENhVV/GxHS4H1D/srBzK2evm0yRcfEpye1EtK1HbcjsvIw1 IRklnuRs3+6bc6vS4eOREbFAFwheBn06RYWDOzuoTldEj25jasoPOyaNgmGJU4E2dHQac8ZS xLrVMrdXjV+SYfvwX0igf7MVRwhY6i5guIrAOsatFlwelBcOrh3SaA94G+vD8XpgYzWIm82s iB2wNcpn8HIXtbI5bupqKu8gSOEzpT/nRjOBQTRdMcKewy6h9dGI7DpHigzHSfIc6isV3h4S qgNT9oMic0TU8hzRetLw8g6qpUjtHb5hHOB0vkRHXT5o5iMp527ORrS3JASMBZwGCiZASOhl fI/F2l4b2YI9A0Y7pQVekUX1Arbj6fknFvfxeSKvpeowyLIgwMUEqPs8P9Ud6MGLw70JmR7y 8uEAM+jm4FZwQBrAxb633+vZndYDEEBpUV+pdCTN61m34MBdvbckdNnfiT2+Or+YSOub7J/Y M1SqqL2JXrCJrjWay90kWWtmJjKWZKPBeyoQ6/jlLrXebp0XJUf7rq2HsbMfzCf+j0QqXhlg TyJmcRC254OwUerDnkfSJ3dYiOewEPQNg+wFOxU+DI9Q90XlScmkRFHQld2hxj/e1UFsJaAN rwARAQABwsFfBBgBAgAJBQJWlPN8AhsMAAoJEGyq803SvUvTITIQAIRXbk8nGboVP+ByBmJg IASX2d0/VjTdhoRSsDZOjdMYH6EC0JAFvmt73glqIiDAbXNJdG7Xu5dmWz5MhEH1KuP2huOK JjbKHFrGZpTbgDM0kmBM2KBDf10y/fxor0JDJJXKfT5GDylryNtmecoTTLW9uum+RqM4STga +FkSgPYvh+I3TVH6fmzMvYsosATmWaYamtMqefPc7g4s6hBGhMiGWdtEaRTd6NObbGlVVlQs vTmc6Qabs+43h21nJHEquwtz8JjJqH6CMcV2aWTQdmt+Vp+C0wIXRZEQsWChftvWMmzxcc0R zy+ls1SpJKDUraGqDYxUPQvWj4Fyo3OSQ6WMuxZjHuAbh6S6G/1iUPQkYn+GabuCymL+t5Tt AeLGWHbdZZI8fo/EzGcTbGOKGOyTyLb4hPRudqe0WUHzPJmcC1fDuHrql96XFpMZaBzdDz64 YldU5CtBfPZVfwahw/RgFTt89Lvh9GfXmuLzmZcrmf2N/yn//lINCEeVLgpg0jgfXwBKf+/+ 66cVNuI7pWtHFk5apS/BbDac5EwYJ8yCPBR1Jhu55UjldlwP3vEulwM5zDnaiUn+O3/7qwFd 8QE1lSHQPh5STdS7tWaqita0A3xJAPH4TTmUT7C3H3KVN54+gj4IcQRU0ecrz0wv6MXTdDVD 1HgnSerf7ksyjU/c
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Wed, 09 May 2018 13:20:40 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=bkx1UCnyOSFCxlo7c1imMxzTUnX13SDfoMRoqI4ve3M=; b=tw8x4pyjuwn9HXyyDpihsHHmGgFU0BScLY+rAuqkgKzkfl2SjumDoE2PZr7Sm5gGqk BbJKqH/tlWP/sS8ubcAQPXIMM4LvaO33f7EjHyk+U/zNwd5TcYY2UsfJZ06V1qb7fvpm C58TDX9B9u8EyhTqcLC6BxFRcvPsng3fiNC9JeSNvef3/6jo58Dqx5arCLQRkMoHPHUP STJPe+F/EpOSwHHplwmakuC5VDtI3CCPMs+4ki+x/nNBAcyChSagVBvt2B4PDDKbfn9l QgOUQYFYU+EWbjrUuYgmUuyUPl2Dmew/Pb4aukJPSngOxZwqNr6lZCzyCObIKl7aJ/6j dO2A==
- In-reply-to: <871seljjqc.fsf@riseup.net>
- List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
- List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
- List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
- List-post: <mailto:tor-dev@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
- Openpgp: preference=signencrypt
- References: <2481d781-904c-c967-de69-db40060d9c9d@gmail.com> <86y3h8l621.fsf@atlantis.meejah.ca> <53B585EE-002B-4BD9-9878-C3BF8117825B@gmail.com> <830d964a-d1c8-3719-0787-3d42405dc645@gmail.com> <87efiukpjr.fsf@riseup.net> <871seljjqc.fsf@riseup.net>
- Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
On 05/09/2018 03:50 PM, George Kadianakis wrote:
> I thought about this some more and discussed it with haxxpop on IRC. In
> the end, I think that perhaps starting with just desc auth and then in
> the future implementing intro auth is also an acceptable plan forward.
I think we have two more things to think about.
1. I forgot to think about the format of client_authorized_pubkeys file.
In the client_authorized_pubkeys file, each line should indicate the
auth type for which the pubkey is used instead of just specifying the
client name and the pubkey. So the line should be as follows.
<client-name> <auth-type> <pubkey>
and, if auth-type is "standard", it will be equivalent to two lines of
"desc" and "intro".
2. If we want to release the "desc" auth first, I want to say something
about the config lines.
The "standard" auth config on the client side will not contain the
ed25519 private key and it will look like this:
HidServAuth onion-address standard x25519-private-key
However, after we release the intro auth, that config line (which does
not contain the ed25519 private key) should still be valid because, if
the client upgrades its version, it doesn't need to change the word
"standard" to the word "desc" in the HidServAuth config line.
On the service side, it will be different. After releasing "desc" auth
but before releasing "intro" auth, the line in client_authorized_pubkeys
will look like this (without ed25519 pubkey).
<client-name> standard x25519-public-key
But after we release the "intro" auth, that line shouldn't be valid
anymore because the "standard" line should contain both x25519 and
ed25519 public keys. It's different from the client side.
--
I think (1) may not have problems (I guess) but for (2) is it acceptable
to make ed25519-private-key optional on the HidServAuth "standard"
config line?
--
On 05/09/2018 03:50 PM, George Kadianakis wrote:
> b) We might also want to look into XEdDSA and see if we can potentially
> use the same keypair for both intro auth (ed25519) and desc auth
(x25519).
This will be a great advantage if we can do that because putting two
private keys in the HidServAuth is so frustrating.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev