[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] HS v3 client authorization types

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] HS v3 client authorization types
From: Suphanat Chunhapanya <haxx.pop@xxxxxxxxx>
Date: Mon, 30 Apr 2018 17:08:37 +0700
Autocrypt: addr=haxx.pop@xxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFaU83wBEADElEh5UmB+WXTKh5zL1IrUNebyA/pOdNOjY3phosuG2Xdth76PMhvyPXVu /Jf8GWDuDXhMrAKTGBloUuqbLpQsj6BY2YhV7Tn1wEiSqXCJMK8NdwrQhkUWKiX/ioxL4r4R cP9IUtDKkSstLhU7vk+7TUdQFIw4Y+qsNT+IgOvqpxlkIdieYNfExOvzXB9aWtVPfbpZ32S/ zTfZ8LBNXV9jWwFrMPZTFh8Dc9wzYQ/ZQUg8OckNSHNCYPiY0/x3x/FW4abBSJ376fxdQJNt x6f9dnOL8KEhv670Vt4S/NnXSo+jW0lzoDgE3PhpchQ3EaD/CgEYGEiIa8tnHERGpVRvPzwc jw1j9Cp/nFJL4eNVO+oOk9Iorh2LLID1z8vU+hgtoZZHQBSh7Gv+CmaV6DYCKwVxKxZkLKdX LauaweS32ZORb/eTaruXhSGFLgNFwjgurbSLw3FtUIcz8k7n5T2sx00C6kffaH5fZ8q5vj15 w7+l1KI0qCRS8XGm4bcfimgToRD858qbdi1vEcgygzewzDtDex7NfElpcg3krgNZHcBmfRI2 BVNRmlZWjsQNZOp5OhC/XuPGmkSlsZFgymYxHl8rraNlJeobMDjN3XYXLOMFMTqptOoYmw54 Mr+cOnFAu9R0qReEjBXXrpeECMX/2F1DYvus9x/zAV8Mku8BZQARAQABzTNTdXBoYW5hdCBD aHVuaGFwYW55YSAoaGF4eHBvcCkgPGhheHgucG9wQGdtYWlsLmNvbT7CwXgEEwECACIFAlaU 83wCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGyq803SvUvTjF4QALoBadnJdTyJ /EcsqMCxysiQOqZNeppf3X/g/GHLLn52Y0XPud9JRXQRkBvLU2ax62N4vGtKT0WXhWKG5bgf pkH6rIRzKgJYtS4oYx6TjDKIQPK5Zup2XvqLtyxmssLCwKKXYqMurC/Vmzywq5nidOgdjD17 tO8PWGoSb4pm8XKm4cudhOaU+mF1B0tshjedBb3vSYnZ1Dmy3qOBx672ahU/L7ArIqOmH9+k 0FdeuQIjA4u0FU+p+JUZRVisqIkQP/gVc+5W1k/QqQm5gGFAtxD5mQ3eDvicd2aQ10NFRlTQ PTuFUfiouvNs5W6scaunv1IugSIbJY8e2fBSNkX+bf1vV4RXLC9CpZ+8YJoXB34LJRvHgkQ7 obL5A82mOG9ayMst3mDbJS8ASfZhKSliyXfo+W4XkPoOoSBAN7Sms/ZjMRXIAulbN0n5Pp8y xuCV1tL3ti7NxpvJEeTRBRmTawM3yGohX8rZiOdOFKuPvRCuUHUauASLacse8iTHwR1hYzuQ 1mv4hXo6RvOG0EUPUjEIHIIS3yFatXrTVpVr9DcgF8Dw+L2VaIqDg07GnunEyJ45YTMeJ5YG ZNngMhtDMf/diMIf9TOpUBohyeGLris3Opz3hkvn4zyeri2fCDzYkOi7dsgtqYox9HdYKj7a 80IBVWIOdT5nkJ1apAe4COwPzsFNBFaU83wBEAC3oeIL6xvJGo0VBSGrmXkbGBh3Q/wK0GLz YFZqGGAl1UuAPDGd5t8Z2QA+SENhVV/GxHS4H1D/srBzK2evm0yRcfEpye1EtK1HbcjsvIw1 IRklnuRs3+6bc6vS4eOREbFAFwheBn06RYWDOzuoTldEj25jasoPOyaNgmGJU4E2dHQac8ZS xLrVMrdXjV+SYfvwX0igf7MVRwhY6i5guIrAOsatFlwelBcOrh3SaA94G+vD8XpgYzWIm82s iB2wNcpn8HIXtbI5bupqKu8gSOEzpT/nRjOBQTRdMcKewy6h9dGI7DpHigzHSfIc6isV3h4S qgNT9oMic0TU8hzRetLw8g6qpUjtHb5hHOB0vkRHXT5o5iMp527ORrS3JASMBZwGCiZASOhl fI/F2l4b2YI9A0Y7pQVekUX1Arbj6fknFvfxeSKvpeowyLIgwMUEqPs8P9Ud6MGLw70JmR7y 8uEAM+jm4FZwQBrAxb633+vZndYDEEBpUV+pdCTN61m34MBdvbckdNnfiT2+Or+YSOub7J/Y M1SqqL2JXrCJrjWay90kWWtmJjKWZKPBeyoQ6/jlLrXebp0XJUf7rq2HsbMfzCf+j0QqXhlg TyJmcRC254OwUerDnkfSJ3dYiOewEPQNg+wFOxU+DI9Q90XlScmkRFHQld2hxj/e1UFsJaAN rwARAQABwsFfBBgBAgAJBQJWlPN8AhsMAAoJEGyq803SvUvTITIQAIRXbk8nGboVP+ByBmJg IASX2d0/VjTdhoRSsDZOjdMYH6EC0JAFvmt73glqIiDAbXNJdG7Xu5dmWz5MhEH1KuP2huOK JjbKHFrGZpTbgDM0kmBM2KBDf10y/fxor0JDJJXKfT5GDylryNtmecoTTLW9uum+RqM4STga +FkSgPYvh+I3TVH6fmzMvYsosATmWaYamtMqefPc7g4s6hBGhMiGWdtEaRTd6NObbGlVVlQs vTmc6Qabs+43h21nJHEquwtz8JjJqH6CMcV2aWTQdmt+Vp+C0wIXRZEQsWChftvWMmzxcc0R zy+ls1SpJKDUraGqDYxUPQvWj4Fyo3OSQ6WMuxZjHuAbh6S6G/1iUPQkYn+GabuCymL+t5Tt AeLGWHbdZZI8fo/EzGcTbGOKGOyTyLb4hPRudqe0WUHzPJmcC1fDuHrql96XFpMZaBzdDz64 YldU5CtBfPZVfwahw/RgFTt89Lvh9GfXmuLzmZcrmf2N/yn//lINCEeVLgpg0jgfXwBKf+/+ 66cVNuI7pWtHFk5apS/BbDac5EwYJ8yCPBR1Jhu55UjldlwP3vEulwM5zDnaiUn+O3/7qwFd 8QE1lSHQPh5STdS7tWaqita0A3xJAPH4TTmUT7C3H3KVN54+gj4IcQRU0ecrz0wv6MXTdDVD 1HgnSerf7ksyjU/c
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 30 Apr 2018 06:09:11 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=VtcfgHFnCI/R6+P84YJmBwNq2W7YGT8gyds33amEDmY=; b=YK8wtkTgv7GXDs5jWT4KdEMmarX7DM0VuutdbQl34CZt8hM5GGuDhTCI2jl0rxQY0a mFS6JXYalDrom5H5goNAnkn4K41zCLlvtu+jXfkFxf3NFaaffnPinUOxF7aqy8W5Druy mEoNJZvLAP6zp1aC1d8wRacBAHXf5KxIqpZ/agDOnAVKdJ+iGR1f7X+K1+FstbdEQ/Y+ 3mIKcq3W+nwjat6gUHgTn+Q4J9adYZsQL6oBbQW5OUAYgsoJ+JA3vddgGy5dQRPKDflz 8vXwq6PkKsFxyWLc/oMjtM+fYCW7dJqmm0OVqmLNIKwmahrbUztUGeA9wf6H6oXqcxRM 6xJw==
In-reply-to: <53B585EE-002B-4BD9-9878-C3BF8117825B@gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Openpgp: preference=signencrypt
References: <2481d781-904c-c967-de69-db40060d9c9d@gmail.com> <86y3h8l621.fsf@atlantis.meejah.ca> <53B585EE-002B-4BD9-9878-C3BF8117825B@gmail.com>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0

Hi,

On 04/28/2018 06:19 AM, teor wrote:
>> Or should we require the service to enable both for all clients?
>>
>> If you want to let the service be able to enable one while disable the
>> other, do you have any opinion on how to configure the torrc?
> 
> If someone doesn't understand client auth in detail, and just wants
> to be more secure, we should give them a single option that enables
> both kinds of client auth. (Security by default.)
> 
> OnionServiceClientAuthentication 1
> (Default: 0)
> 
> If someone knows they only want a particular client auth method,
> we should give them another option that contains a list of active
> client auth methods. (Describe what you have, not what you don't
> have, because negatives confuse humans.)
> 
> OnionServiceClientAuthenticationMethods intro
> (Default: descriptor, intro)

Do you have any opinion on specifying the client names in your
recommendation? and the list of client names in "descriptor" and "intro"
should be independent.

However, what i am currently think of is that we can use the existing
format.

HiddenServiceAuthorizeClient auth-type client-name,client-name,...

But instead of allowing only two auth-types "descriptor" and "intro", we
allow another type called "default" which includes both "descriptor" and
"intro"

So if I put an option:
HiddenServiceAuthorizeClient default client-name,client-name,...

It will be equivalent to two lines of:
HiddenServiceAuthorizeClient descriptor client-name,client-name,...
HiddenServiceAuthorizeClient intro client-name,client-name,...

And on the client side, if I put an option:
HidServAuth onion-address default x25519-private-key ed25519-private-key

It will be equivalent to two lines of:
HidServAuth onion-address descriptor x25519-private-key
HidServAuth onion-address intro ed25519-private-key

What do you all think?

Cheers,
haxxpop

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] HS v3 client authorization types
  - From: Suphanat Chunhapanya
- Re: [tor-dev] HS v3 client authorization types
  - From: meejah
- Re: [tor-dev] HS v3 client authorization types
  - From: teor

Prev by Author: [tor-dev] ahmia ~ summer of privacy
Next by Author: Re: [tor-dev] HS v3 client authorization types
Previous by thread: Re: [tor-dev] HS v3 client authorization types
Next by thread: Re: [tor-dev] HS v3 client authorization types
Index(es):
- Author
- Thread