[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] adding smartcard support to Tor



Razvan Dragomirescu:
> Ivan, if I understand
> https://onionbalance.readthedocs.org/en/latest/design.html#next-generation-onion-services-prop-224-compatibility
> correctly, the setup I've planned will no longer work once Tor switches to
> the next generation hidden services architecture, is this correct? Will
> there be any backwards compatibility or will old hidden services simply
> stop working at that point?

No, actually the setup will work. But it will not work until the code
base (of the OB) is changed*. For now one can sign arbitrary set of IPs
with their key (you can test it with  e.g. Facebook HS) and this
descriptor will be valid [1].
Cross-certifications are just a mechanism of hardening this process. In
order to make frontend descriptor valid backend instances must "be
aware" of the frontend. So backend nodes are certifying public key of
frontend and then they can be included into a frontend descriptor.
[using OB terminology]

[*] Also there is still only RSA crypto in the OB.

[1] https://trac.torproject.org/projects/tor/ticket/15951
-- 
Ivan Markin
/"\
\ /       ASCII Ribbon Campaign
 X    against HTML email & Microsoft
/ \  attachments! http://arc.pasp.de/

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev