Re: [tor-bugs] #15774 [Tor]: Signed Fallback Directory File

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#15774: Signed Fallback Directory File
-----------------------------+--------------------------------
     Reporter:  teor         |      Owner:
         Type:  enhancement  |     Status:  needs_information
     Priority:  minor        |  Milestone:  Tor: 0.2.???
    Component:  Tor          |    Version:  Tor: 0.2.4.7-alpha
   Resolution:               |   Keywords:  lorax
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+--------------------------------
Changes (by teor):

 * cc: weasel, ioerror (added)
 * status:  new => needs_information


Old description:

> See
> https://lists.torproject.org/pipermail/tor-dev/2015-April/008682.html
> and #15642, in which I say:
>
>     The function which loads fallback directories currently loads from a
> string array inside the function, so it would need to be modified to load
> from a signed file. I support the security benefits of signed fallback
> directories enough to write client code and unit tests for it, but I'm
> not sure how the code for the authorities would work - is the proposal to
> sign a section of the consensus, and output it as a separate file?
>
>     If so, we would either need to backport, and/or wait until a majority
> of the authorities update to tor versions with the feature. And perhaps a
> majority of clients as well, controlled by a consensus parameter?
> (Otherwise, using any entry in the file itself would allow clients to
> effectively be partitioned from the rest of the network by their
> behaviour.)
>
>     While I'm making a list, do we need to modify the existing proposal
> which describes fallback directories?
>
>     Is this change proposed for 0.2.7?
>     Or all currently supported releases?
>
>     Do we need a new configuration option to give the location of the
> (signed) Fallback Directories file?
>     How should this interact with the existing FallbackDir option?
>     Cumulative?
>
> And nickm says:
>
>     I think making the file signed is a different ticket, and I don't
> really understand the threat model for it.
>
> Before we make this change, we need to understand how the threat model is
> different from, for example:
> * a package maintainer adding their own directory
> * a package maintainer removing the signature check code
> * a package maintainer replacing all the authorities

New description:

 See
 https://lists.torproject.org/pipermail/tor-dev/2015-April/008682.html
 and #15642, in which I say:

     The function which loads fallback directories currently loads from a
 string array inside the function, so it would need to be modified to load
 from a signed file. I support the security benefits of signed fallback
 directories enough to write client code and unit tests for it, but I'm not
 sure how the code for the authorities would work - is the proposal to sign
 a section of the consensus, and output it as a separate file?

     If so, we would either need to backport, and/or wait until a majority
 of the authorities update to tor versions with the feature. And perhaps a
 majority of clients as well, controlled by a consensus parameter?
 (Otherwise, using any entry in the file itself would allow clients to
 effectively be partitioned from the rest of the network by their
 behaviour.)

     While I'm making a list, do we need to modify the existing proposal
 which describes fallback directories?

     Is this change proposed for 0.2.7?
     Or all currently supported releases?

     Do we need a new configuration option to give the location of the
 (signed) Fallback Directories file?
     How should this interact with the existing FallbackDir option?
     Cumulative?

 And nickm says:

     I think making the file signed is a different ticket, and I don't
 really understand the threat model for it.

 Before we make this change, we need to understand how the threat model is
 different from, for example:
 * a package maintainer adding their own directory
 * a package maintainer removing the signature check code
 * a package maintainer replacing all the authorities

 Also:

 How can a signature be verified if the client is using the fallback
 directories? Doesn't this mean it can't access the directories themselves?
 So it has to trust the keys it gets from the directories on the not-yet-
 verified list?

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15774#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs