[tor-bugs] #17349 [Tor]: Create an ed25519 shared randomness key for dirauths

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 14 23:13:51 UTC 2015 

#17349: Create an ed25519 shared randomness key for dirauths
--------------------+------------------------------------
 Reporter:  asn     |          Owner:
     Type:  defect  |         Status:  new
 Priority:  Medium  |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor     |        Version:
 Severity:  Normal  |     Resolution:
 Keywords:          |  Actual Points:
Parent ID:  #16943  |         Points:
  Sponsor:          |
--------------------+------------------------------------
Changes (by s7r):

 * cc: s7r (added)


Comment:

 To keep symmetry the lifetime of the SR key will be equal to the lifetime
 of medium term signing key. This would mean 30 days by default, unless
 otherwise configured by SigningKeyLifetime in torrc on directory authority
 side.

 In order not to confuse directory authority operators with a lot of keys
 and subkeys, I recommend the SR ed25519 key to be only generated
 automatically by Tor if/when started as a directory authority and only be
 chained to the medium term signing key with exactly the same validity
 period. The SR key shouldn't be linked directly with the ed25519 master id
 key which can be kept offline, instead it'll be chained via an
 intermediary certificate. It would be nice if we could append this second
 intermediate certificate to already existent file 'ed25519_signing_cert'
 so we have a single certificate file in our keys folder.

 Manually calling '--keygen' shouldn't generate a SR key, this way we keep
 it simpler and don't have to add more commands for directory authorities
 and at the same time eliminate the possibility to accidentally generate
 useless SR keys on normal non directory authorities relays.

 The ed25519 master identity keys of directory authorities could be
 included in the consensus - this could come handy when/if we want to get
 rid of RSA ultimately (we plan to remove RSA1024 but directory authorities
 master identity RSA keys are > 1024 so they'll stick around for longer
 time with us for now).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17349#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list