Hi everyone! We are soon at the stage of implementing the service part of proposal 224 (next gen. hidden service.). Parent ticket is #20657 but I'll be discussing here ticket #18054. In a nutshell, we need to figure out the interface for the torrc file[1]. We currently have some options to configure an hidden service and the question is now how do we proceed on using those for next version? Instead of listing all options and going in an endless loop of possibilities, I'll outline what we've discussed so far between some of us. In the following, "v2" is current hidden service and "v3" is the next generation detailed in prop224. 1) Once v3 is released, from that point on _no_ v2 service will be allowed to be created by "tor" itself. It will always be possible to do it by hand by creating an RSA key and putting it in the service directory (see 3 below). The reasoning for this is that we really want to phase out as quickly as possible the v2 protocol for privacy and security reasons. 2) All the current torrc options will be kept for v3 as they all apply in terms of format. (One exception might be the client authorization.) 3) When tor is loading config for a service: if a v2 key is found that is an RSA key, we treat that service as v2, print a deprecation warning and continue. if a v3 key is found, use v3, all is good. if no key is found, consider a new service and generate v3 (ties to 1 above). 4) Over time, extra option might appear and they will be ONLY for v3 unless for force majeur security madness. One of those options that we want to add is this one as offline key will be a reality with v3: "HiddenServiceOfflineKey 1" It will indicate tor to _not_ generate the master identity key and will require the user to put the public key in the HiddenServiceDir. Note that with all of the above it will be possible to have one of your application on both v2 and v3 address. Here is a snippet as an example: # v2 HiddenServiceDir /srv/hs/v2 HiddenServicePort 80 localhost:80 # v3 HiddenServiceDir /srv/hs/v3 HiddenServicePort 80 localhost:80 The important part here is the different directories but the port points to the same place. Ok here it is. Please comment, improve, or propose! :) Cheers! David [1] https://www.torproject.org/docs/tor-manual.html.en (see HIDDEN SERVICE OPTIONS)
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev