[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #20969 [Core Tor/DocTor]: Detect relays that don't update their onion keys every 7 days.
#20969: Detect relays that don't update their onion keys every 7 days.
---------------------------------+--------------------
Reporter: dgoulet | Owner: atagar
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Core Tor/DocTor | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
---------------------------------+--------------------
This is related to #20055 which would be an important thing to monitor for
the health and security of the network.
There are multiple things here that can be or should be checked.
The `onion-key` field is an RSA key so DocTor will need to keep a
persistent database of those over time (only used for TAP handshake).
The `ntor-onion-key` field also can be monitored the same as the RSA key.
If the `ntor-onion-key-crosscert` field is present, you'll get a timestamp
for free in the certificate which should have the `exp_field` set to the
last published time + 7 days.
In any case, a router SHOULD NOT have either a TAP or ntor onion key
_more_ than 7 days as this is hardcoded in Tor. If they do, it could be
another implementation but finding them would be good so we can warn/ask
them to fix. Or better, detect bugs as well on tor implementation that
could keep those for a longer time.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20969>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs