[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Revoking a hidden service key

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Revoking a hidden service key
From: Adrien Johnson <adrienj@xxxxxxxxxxx>
Date: Mon, 02 Mar 2015 19:56:39 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 02 Mar 2015 20:04:05 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0

Hello all,

If a hidden service operator becomes aware their hidden service privatekey has been compromised, for instance if hidden service descriptorssigned with their private key are published that they did not createthemselves, there should be a way for the hidden service operator torevoke trust in the key and prevent attackers from hijacking traffic totheir .onion domain. I have read the current directory spec, and thecurrent and proposed Rendezvous spec, but I cannot find any support forthis.

Is hidden service revocation like that possible in the current design,or have I overlooked something?

If it is not currently possible, I suggest it could be implemented as ahidden service descriptor listing zero introductory points, and having aspecial timestamp value which should never appear in ordinary usage,1970-1-1 for instance. Hidden Service Directories upon receiving such a'revocation' descriptor should immediately discard any other descriptorsfor that hidden service and should refuse to accept any furtherdescriptors for that service. Hidden service directories should retainsuch a descriptor indefinitely.

The existence of such a revocation mechanism would strengthen the ideaof "controlling" a hidden service or .onion domain. Up until now all ahidden service owner could do to prove they control a hidden service wassign something to show they had the key. If this revocation mechanismexisted, they would also be able to show strong evidence that they arethe only one that possesses that key.

Does this sound like a useful feature? Does my suggested implantationhold water? Any comments appreciated.

-Adrien Johnson
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Revoking a hidden service key
  - From: michael ball

Prev by Author: Re: [tor-talk] Protest Blocking Tor via CloudFlare
Next by Author: Re: [tor-talk] Revoking a hidden service key
Previous by thread: Re: [tor-talk] Fixing the problem of sending email from Tor: Proof of Work based system
Next by thread: Re: [tor-talk] Revoking a hidden service key
Index(es):
- Author
- Thread