commit f5abfb7914adca80783e1b6edbd7b02aecf1b0aa Author: nusenu nusenu-github@riseup.net Date: Fri Aug 14 10:04:18 2020 +0000
Create xxx-tor-relay-well-known-uri-rfc8615.md --- .../ideas/xxx-tor-relay-well-known-uri-rfc8615.md | 71 ++++++++++++++++++++++ 1 file changed, 71 insertions(+)
diff --git a/proposals/ideas/xxx-tor-relay-well-known-uri-rfc8615.md b/proposals/ideas/xxx-tor-relay-well-known-uri-rfc8615.md new file mode 100644 index 0000000..a9490a9 --- /dev/null +++ b/proposals/ideas/xxx-tor-relay-well-known-uri-rfc8615.md @@ -0,0 +1,71 @@ +``` +Filename: xxx-tor-relay-well-known-uri-rfc8615.md +Title: The "tor-relay" Well-Known Resource Identifier +Author: nusenu +Created: 14 August 2020 +Status: Open +``` + +This is a specification for a well-known registry submission according to [RFC8615](https://tools.ietf.org/html/rfc8615) + +# The "tor-relay" Well-Known Resource Identifier + +This resource identifier is used for the the verification of [Tor](https://www.torproject.org/) relay contact information +(more specifically the [operatorurl](https://nusenu.github.io/ContactInfo-Information-Sharing-Specification/#oper...)). +It can also be used for autodiscovery of Tor relays run by a given entity, if the entity domain is known. +It solves the issue that Tor relay contact information is an unidirectional and unverified claim by nature. +This well-known URI aims to allow the verification of the unidirectional claim. +It aims to reduce the risk of impersonation attacks, where a Tor relay claims to be operated by a certain entity, but actually isn't. +The automated verification will also support the [visualization of relay groups](https://gitlab.torproject.org/tpo/metrics/relay-search/-/issues/40001). + +* An initially (unverified) Tor relay contact information might claim to be related to an +organization by pointing to its website: Tor relay contact information field -> website +* The "tor-relay" URI allows for the verification of that claim by fetching the files containing Tor relay ID(s) under the specified URI, +because attackers can not easily place these files at the given location. + +* By publishing Tor relay IDs under this URI the website operator claims to operate these relays. +The verification of listed Tor relay IDs only succeeds if the claim can be verified bidirectionally (website -> relay and relay -> website). + +* This URI is not related to Tor bridges or Tor onion services. + +* The URL MUST be HTTPS and use a valid TLS certificate from a generally trusted root CA. Plain HTTP MUST not be used. + +* The URL MUST be accessible by robots (no CAPTCHAs). + +## /.well-known/tor-relay/rsa-fingerprint.txt + +* The file contains one or more Tor relay RSA SHA1 fingerprints operated by the entity in control of this website. +* Each line contains one fingerprint. +* The file may contain comments (starting with #). +* Non-comment lines must be exactly 40 characters long and consist of the following characters [a-fA-F0-9]. +* Fingerprints are not case-sensitive. +* Each fingerprint MUST appear at most once. +* The file MUST not be larger than one MByte. +* The file MUST NOT contain fingerprints of Tor bridges (or hashes of bridge fingerprints). +* The content MUST be a media type of "text/plain". + +Example file content: + +``` +# we operate these Tor relays +A234567890123456789012345678901234567ABC +B234567890123456789012345678901234567890 +``` +The RSA SHA1 relay fingerprint can be found in the file named "fingerprint" located in the Tor data directory on the relay. + + +# Change Controller + +tor-dev AT lists.torproject.org + +# Related Information + +* [https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt%5D(https://gitwe...) +* [https://gitweb.torproject.org/torspec.git/tree/cert-spec.txt%5D(https://gitw...) +* [https://nusenu.github.io/ContactInfo-Information-Sharing-Specification/#oper...) + + + + + +