[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] HS v3 client authorization types
- To: George Kadianakis <desnacked@xxxxxxxxxx>, tor-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-dev] HS v3 client authorization types
- From: Suphanat Chunhapanya <haxx.pop@xxxxxxxxx>
- Date: Thu, 17 May 2018 01:08:32 +0700
- Autocrypt: addr=haxx.pop@xxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFaU83wBEADElEh5UmB+WXTKh5zL1IrUNebyA/pOdNOjY3phosuG2Xdth76PMhvyPXVu /Jf8GWDuDXhMrAKTGBloUuqbLpQsj6BY2YhV7Tn1wEiSqXCJMK8NdwrQhkUWKiX/ioxL4r4R cP9IUtDKkSstLhU7vk+7TUdQFIw4Y+qsNT+IgOvqpxlkIdieYNfExOvzXB9aWtVPfbpZ32S/ zTfZ8LBNXV9jWwFrMPZTFh8Dc9wzYQ/ZQUg8OckNSHNCYPiY0/x3x/FW4abBSJ376fxdQJNt x6f9dnOL8KEhv670Vt4S/NnXSo+jW0lzoDgE3PhpchQ3EaD/CgEYGEiIa8tnHERGpVRvPzwc jw1j9Cp/nFJL4eNVO+oOk9Iorh2LLID1z8vU+hgtoZZHQBSh7Gv+CmaV6DYCKwVxKxZkLKdX LauaweS32ZORb/eTaruXhSGFLgNFwjgurbSLw3FtUIcz8k7n5T2sx00C6kffaH5fZ8q5vj15 w7+l1KI0qCRS8XGm4bcfimgToRD858qbdi1vEcgygzewzDtDex7NfElpcg3krgNZHcBmfRI2 BVNRmlZWjsQNZOp5OhC/XuPGmkSlsZFgymYxHl8rraNlJeobMDjN3XYXLOMFMTqptOoYmw54 Mr+cOnFAu9R0qReEjBXXrpeECMX/2F1DYvus9x/zAV8Mku8BZQARAQABzTNTdXBoYW5hdCBD aHVuaGFwYW55YSAoaGF4eHBvcCkgPGhheHgucG9wQGdtYWlsLmNvbT7CwXgEEwECACIFAlaU 83wCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGyq803SvUvTjF4QALoBadnJdTyJ /EcsqMCxysiQOqZNeppf3X/g/GHLLn52Y0XPud9JRXQRkBvLU2ax62N4vGtKT0WXhWKG5bgf pkH6rIRzKgJYtS4oYx6TjDKIQPK5Zup2XvqLtyxmssLCwKKXYqMurC/Vmzywq5nidOgdjD17 tO8PWGoSb4pm8XKm4cudhOaU+mF1B0tshjedBb3vSYnZ1Dmy3qOBx672ahU/L7ArIqOmH9+k 0FdeuQIjA4u0FU+p+JUZRVisqIkQP/gVc+5W1k/QqQm5gGFAtxD5mQ3eDvicd2aQ10NFRlTQ PTuFUfiouvNs5W6scaunv1IugSIbJY8e2fBSNkX+bf1vV4RXLC9CpZ+8YJoXB34LJRvHgkQ7 obL5A82mOG9ayMst3mDbJS8ASfZhKSliyXfo+W4XkPoOoSBAN7Sms/ZjMRXIAulbN0n5Pp8y xuCV1tL3ti7NxpvJEeTRBRmTawM3yGohX8rZiOdOFKuPvRCuUHUauASLacse8iTHwR1hYzuQ 1mv4hXo6RvOG0EUPUjEIHIIS3yFatXrTVpVr9DcgF8Dw+L2VaIqDg07GnunEyJ45YTMeJ5YG ZNngMhtDMf/diMIf9TOpUBohyeGLris3Opz3hkvn4zyeri2fCDzYkOi7dsgtqYox9HdYKj7a 80IBVWIOdT5nkJ1apAe4COwPzsFNBFaU83wBEAC3oeIL6xvJGo0VBSGrmXkbGBh3Q/wK0GLz YFZqGGAl1UuAPDGd5t8Z2QA+SENhVV/GxHS4H1D/srBzK2evm0yRcfEpye1EtK1HbcjsvIw1 IRklnuRs3+6bc6vS4eOREbFAFwheBn06RYWDOzuoTldEj25jasoPOyaNgmGJU4E2dHQac8ZS xLrVMrdXjV+SYfvwX0igf7MVRwhY6i5guIrAOsatFlwelBcOrh3SaA94G+vD8XpgYzWIm82s iB2wNcpn8HIXtbI5bupqKu8gSOEzpT/nRjOBQTRdMcKewy6h9dGI7DpHigzHSfIc6isV3h4S qgNT9oMic0TU8hzRetLw8g6qpUjtHb5hHOB0vkRHXT5o5iMp527ORrS3JASMBZwGCiZASOhl fI/F2l4b2YI9A0Y7pQVekUX1Arbj6fknFvfxeSKvpeowyLIgwMUEqPs8P9Ud6MGLw70JmR7y 8uEAM+jm4FZwQBrAxb633+vZndYDEEBpUV+pdCTN61m34MBdvbckdNnfiT2+Or+YSOub7J/Y M1SqqL2JXrCJrjWay90kWWtmJjKWZKPBeyoQ6/jlLrXebp0XJUf7rq2HsbMfzCf+j0QqXhlg TyJmcRC254OwUerDnkfSJ3dYiOewEPQNg+wFOxU+DI9Q90XlScmkRFHQld2hxj/e1UFsJaAN rwARAQABwsFfBBgBAgAJBQJWlPN8AhsMAAoJEGyq803SvUvTITIQAIRXbk8nGboVP+ByBmJg IASX2d0/VjTdhoRSsDZOjdMYH6EC0JAFvmt73glqIiDAbXNJdG7Xu5dmWz5MhEH1KuP2huOK JjbKHFrGZpTbgDM0kmBM2KBDf10y/fxor0JDJJXKfT5GDylryNtmecoTTLW9uum+RqM4STga +FkSgPYvh+I3TVH6fmzMvYsosATmWaYamtMqefPc7g4s6hBGhMiGWdtEaRTd6NObbGlVVlQs vTmc6Qabs+43h21nJHEquwtz8JjJqH6CMcV2aWTQdmt+Vp+C0wIXRZEQsWChftvWMmzxcc0R zy+ls1SpJKDUraGqDYxUPQvWj4Fyo3OSQ6WMuxZjHuAbh6S6G/1iUPQkYn+GabuCymL+t5Tt AeLGWHbdZZI8fo/EzGcTbGOKGOyTyLb4hPRudqe0WUHzPJmcC1fDuHrql96XFpMZaBzdDz64 YldU5CtBfPZVfwahw/RgFTt89Lvh9GfXmuLzmZcrmf2N/yn//lINCEeVLgpg0jgfXwBKf+/+ 66cVNuI7pWtHFk5apS/BbDac5EwYJ8yCPBR1Jhu55UjldlwP3vEulwM5zDnaiUn+O3/7qwFd 8QE1lSHQPh5STdS7tWaqita0A3xJAPH4TTmUT7C3H3KVN54+gj4IcQRU0ecrz0wv6MXTdDVD 1HgnSerf7ksyjU/c
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Wed, 16 May 2018 14:08:51 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=9u6/BtimqZgMuYhxoGS84/7LsSoftXpnHWNe6XIyU54=; b=hfzX5Gmg14CSRBe865rwjtMyR/YgZg02xChn4/23FvByh/s/LknWKCBgnAP8nxVIiS W+L+VDE+w3yuRVOt5ZXO1JeJO/rolFQ4dr++rz2p6Wl+8y6rcI6IYqWXuJkNZO0KcyTC WhrclUaC3y1fsq6auwSIkplcolGOK889Yvu5ywlgsSZZo1UVMZCf939By4vWz/jwFFfE 5HM1r2B+emeOO2j2IyOsi6b3keE49oRTG34gVr7SnksAk6GWSJ1kZeyquz68TU0eEIjP 58tMYIT7GkJrkrazNe3NZ67M89uLM5qy3YjhdW82azj64nYD78wl6EA9durv/NTgJa+Z cXpw==
- In-reply-to: <87d0xy1qjr.fsf@riseup.net>
- List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
- List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
- List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
- List-post: <mailto:tor-dev@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
- Openpgp: preference=signencrypt
- References: <2481d781-904c-c967-de69-db40060d9c9d@gmail.com> <86y3h8l621.fsf@atlantis.meejah.ca> <53B585EE-002B-4BD9-9878-C3BF8117825B@gmail.com> <830d964a-d1c8-3719-0787-3d42405dc645@gmail.com> <87efiukpjr.fsf@riseup.net> <871seljjqc.fsf@riseup.net> <5cd3ddc8-c1c7-287c-cfea-7bbc825af55c@gmail.com> <87d0xy1qjr.fsf@riseup.net>
- Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
On 05/14/2018 05:26 PM, George Kadianakis wrote:
> Suphanat Chunhapanya <haxx.pop@xxxxxxxxx> writes:
>
>> On 05/09/2018 03:50 PM, George Kadianakis wrote:
>>> I thought about this some more and discussed it with haxxpop on IRC. In
>>> the end, I think that perhaps starting with just desc auth and then in
>>> the future implementing intro auth is also an acceptable plan forward.
>>
>> I think we have two more things to think about.
>>
>> 1. I forgot to think about the format of client_authorized_pubkeys file.
>> In the client_authorized_pubkeys file, each line should indicate the
>> auth type for which the pubkey is used instead of just specifying the
>> client name and the pubkey. So the line should be as follows.
>>
>> <client-name> <auth-type> <pubkey>
>>
>> and, if auth-type is "standard", it will be equivalent to two lines of
>> "desc" and "intro".
>>
>
> Sounds plausible.
>
> BTW, what's the role of `client_authorized_pubkeys` in your opinion? Is
> it only used by little-t-tor internally to see which clients are
> recognized or not? IIUC, the onion service operator should not really
> need to use it since it contains pubkeys.
The role of `client_authorized_pubkeys` is to keep all pubkeys of
clients so that we can use them to encrypt the descriptor when the
client auth is enabled.
To specify which clients are recognized, the operator must put the
client names in `HiddenServAuthorizeClient` directive. After that, the
service will use the names in `HiddenServAuthorizeclient` to search for
pubkeys in `client_authorized_pubkeys`. So, if there is a pubkey in
`client_authorized_pubkeys` whose client name is not in
`HiddenServAuthorizeClient`, that key will not be used.
I think the operator needs to use it because, in case the client wants
to generate a keypair itself, the operator needs to put the client's
pubkey in this file.
>
> BTW, I noticed that in v2, when we enable client auth, the onion service
> also edits the `hostname` file to produce different lines for each
> client, so that the operator can copy-paste them directly to the
> users. Do you find that useful? Do you think we should do it too for v3?
I think we did that because in stealth mode, the hostname will change
depending on the client. In v3, the hostname is always static, so I
think we don't have to do that.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev