Roger Dingledine: > Capturing the on-disk keys from a relay will let them impersonate the > relay in the future To limit possibility to impersonate a relay in the future, operators can run in OfflineMasterKey mode with a short SigningKeyLifetime (i.e. 5 days) and push key material via SSH to the relay. This will limit the ability of an attacker to impersonate the relays to 5 days in the worst case, iff the attacker does not also compromise the host storing the Ed25519 master keys. And if you actually want to do it: ansible-relayor does it by default (with 30 days SigningKeyLifetime). -- https://mastodon.social/@nusenu twitter: @nusenu_
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays