[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
From: nusenu <nusenu@xxxxxxxxxxxxxxx>
Date: Sat, 28 Nov 2015 12:26:55 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 28 Nov 2015 07:27:26 -0500
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1448713633; bh=FQcZjNxKx2PnGKl3fYBX89KAhaWjHhEsufKJHvfBSZ0=; h=Subject:To:References:From:Date:In-Reply-To:From; b=d8Su44fFgaN/VMNw+wOGjEtezZFilaxDlGyFhJE/M1knYutsptwkUmz+oh/IfaXWN uyIg7sIIsbDrJYjsxwtNKcETgBQPfdZiHMsYq2gOzv5LPQEhz/M7SlyrUdSSCW1uJz 3OtZRSjBI55LEWdWW2Er7ZBt+cV5UzIEv11OaMLY=
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1448713623; bh=FQcZjNxKx2PnGKl3fYBX89KAhaWjHhEsufKJHvfBSZ0=; h=Subject:To:References:From:Date:In-Reply-To:From; b=lrtkMGYoj2GkTAzOp7tlxF7aRq1dvyW24tjnoFUxG1NyQuhl1OvRyHULCxdB8XBCB GPHn2Z+DOhsGdphoh3Pr2QJ8zj1IMEZmhyuNYv7SDhoxi72EqgwzEu43SK9o8QxY6b 2nZCS9kL7bB/zk1/S8YNc2Uaf9Ce+Ixs0OEMJDOs=
In-reply-to: <565997A0.5060607@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <56599494.2040107@xxxxxxxxxxxxxxx> <565997A0.5060607@xxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

> I think [2] is the wrong link? There's nothing about this in there.

thanks for pointing that out, correct URL:
https://trac.torproject.org/projects/tor/ticket/17603


> I think this is expected and correct behavior.
> 
> If medium term signing key exists, and is sufficiently valid in the
> future for Tor, it won't try to automatically renew them.
> It will use the new SigningKeyLifetime value for the NEW keys, once
> the ones it already has are _about_ to expire and Tor _wants_ to
> generate new medium term signing key.

The important info for me here is: How is "about to expire" defined?
x days before expiry or
80% of its lifetime is over?
Can it be configured?


> If you already have medium term signing key valid 30 days in the
> future you can't replace it using the automated key generator in Tor
> (no manual --keygen).
> 
> I think it should stay like this. If you want to change the lifetime
> of the medium term signing key with --orport, do a rm -rf
> ed25519_signing_* before that command.
> 
> P.S. also if they master id key is not encrypted you can use --keygen
> in a non-interactive way afaik.

yes that is correct. So for the workaround of the workaround I will
simply invoke tor twice.
First time without --keygen for key generation,
then with --keygen for signing key renewal.

thanks for the quick reply.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
  - From: s7r

References:
- [tor-dev] tor ignores --SigningKeyLifetime when keys exist
  - From: nusenu
- Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
  - From: s7r

Prev by Author: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
Next by Author: [tor-dev] does renewing ed25519 signing key hurt if done to often?
Previous by thread: Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
Next by thread: Re: [tor-dev] tor ignores --SigningKeyLifetime when keys exist
Index(es):
- Author
- Thread