commit 3c0422acc464a9da74bc35d3027ae966bf59d8d0 Author: Nick Mathewson <nickm@torproject.org> Date: Sat Jan 10 15:45:59 2015 -0500 Add 240, tweak 227 --- proposals/000-index.txt | 2 + proposals/227-vote-on-package-fingerprints.txt | 5 +-- proposals/240-auth-cert-revocation.txt | 48 ++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 3 deletions(-) diff --git a/proposals/000-index.txt b/proposals/000-index.txt index 9af0405..b8d4490 100644 --- a/proposals/000-index.txt +++ b/proposals/000-index.txt @@ -160,6 +160,7 @@ Proposals by number: 237 All relays are directory servers [OPEN] 238 Better hidden service stats from Tor relays [DRAFT] 239 Consensus Hash Chaining [DRAFT] +240 Early signing key revocation for directory authorities [DRAFT] Proposals by status: @@ -184,6 +185,7 @@ Proposals by status: 235 Stop assigning (and eventually supporting) the Named flag [for 0.2.5] 238 Better hidden service stats from Tor relays 239 Consensus Hash Chaining + 240 Early signing key revocation for directory authorities NEEDS-REVISION: 131 Help users to verify they are using Tor 190 Bridge Client Authorization Based on a Shared Secret diff --git a/proposals/227-vote-on-package-fingerprints.txt b/proposals/227-vote-on-package-fingerprints.txt index d82f76c..83ac3da 100644 --- a/proposals/227-vote-on-package-fingerprints.txt +++ b/proposals/227-vote-on-package-fingerprints.txt @@ -31,12 +31,11 @@ Status: Open VERSION = NONSPACE URL = NONSPACE DIGESTS = DIGEST | DIGESTS SP DIGEST - DIGEST = DIGESTTYPE "=" BASE64 + DIGEST = DIGESTTYPE "=" DIGESTVAL NONSPACE = one or more non-space printing characters - BASE64 = one or more base-64 characters, with trailing =s - removed. + DIGESTVAL = any number of non-=, non-" " characters. SP = " " NL = a newline diff --git a/proposals/240-auth-cert-revocation.txt b/proposals/240-auth-cert-revocation.txt new file mode 100644 index 0000000..fa426ca --- /dev/null +++ b/proposals/240-auth-cert-revocation.txt @@ -0,0 +1,48 @@ +Filename: 240-auth-cert-revocation.txt +Title: Early signing key revocation for directory authorities. +Author: Nick Mathewson +Created: 09-Jan-2015 +Status: Draft + +1. Overview + + This proposal describes a simple way for directory authorities to + perform signing key revocation. + +2. Specification + + We add the following lines to the authority signing certificate + format: + + revoked-signing-key SP algname SP FINGERPRINT NL + + This line may appear zero or more times. + + It indicates that a particular not-yet-expired signing key should not + be used. + +3. Client and cache operation + + No client or cache should retain, use, or serve any certificate whose + signing key is described in a revoked-signing-key line in a + certificate with the same authority identity key. (If the signing + key fingerprint appears in a cert with a different identity key, it + has no effect: you aren't allowed to revoke other people's keys.) + + No Tor instance should download a certificate whose signing + key,identity key combination is known to be revoked. + +4. Authority operator interface. + + The 'tor-gencert' command will take a number of older certificates to + revoke as optional command-line arguments. It will include their + keys in revoked-signing-key lines only if they are still valid, or + have been expired for no more than a month. + +5. Circular revocation + + My first attempt at writing a proposal here included a lengthy + section about how to handle cases where certificate A revokes the key + of certificate B, and certificate B revokes the key of certificate A. + + Instead, I am inclined to say that this is a MUST NOT.