commit 78636a3911b2db96ff80194d1309f72acf66fd59 Author: Nick Mathewson nickm@torproject.org Date: Tue May 16 09:33:21 2017 -0400
Merge prop274; mark it closed. --- dir-spec.txt | 11 +++++++++++ proposals/000-index.txt | 4 ++-- proposals/274-rotate-onion-keys-less.txt | 2 +- tor-spec.txt | 10 ++++++---- 4 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/dir-spec.txt b/dir-spec.txt index d6ad9d8..4c842e8 100644 --- a/dir-spec.txt +++ b/dir-spec.txt @@ -1911,6 +1911,17 @@ client should no longer try to find a diff for it. (min 0, max 8192, default 72)
+ onion key lifetime parameters: + "onion-key-rotation-days" -- (min 1, max 90, default 28) + "onion-key-grace-period-days" -- (min 1, max + onion-key-rotation-days, default 7) + Every relay should list each onion key it generates for + onion-key-rotation-days days after generating it, and then + replace it. Relays should continue to accept their most recent + previous onion key for an additional onion-key-grace-period-days + days after it is replaced. (Introduced in 0.3.1.1-alpha; + prior versions of tor hardcoded both of these values to 7 days.) + "shared-rand-previous-value" SP NumReveals SP Value NL
[At most once] diff --git a/proposals/000-index.txt b/proposals/000-index.txt index bba6534..57392e4 100644 --- a/proposals/000-index.txt +++ b/proposals/000-index.txt @@ -194,7 +194,7 @@ Proposals by number: 271 Another algorithm for guard selection [CLOSED] 272 Listed routers should be Valid, Running, and treated as such [CLOSED] 273 Exit relay pinning for web services [DRAFT] -274 Rotate onion keys less frequently [FINISHED] +274 Rotate onion keys less frequently [CLOSED] 275 Stop including meaningful "published" time in microdescriptor consensus [OPEN] 276 Report bandwidth with lower granularity in consensus documents [OPEN] 277 Detect multiple relay instances running with same ID [OPEN] @@ -280,7 +280,6 @@ Proposals by status: 232 Pluggable Transport through SOCKS proxy [in 0.2.6] 244 Use RFC5705 Key Exporting in our AUTHENTICATE calls [in 0.3.0.1-alpha] 260 Rendezvous Single Onion Services [in 0.2.9.3-alpha] - 274 Rotate onion keys less frequently [in 0.3.1.1-alpha] 278 Directory Compression Scheme Negotiation [in 0.3.1.1-alpha] CLOSED: 101 Voting on the Tor Directory System [in 0.2.0.x] @@ -351,6 +350,7 @@ Proposals by status: 264 Putting version numbers on the Tor subprotocols [in 0.2.9.4-alpha] 271 Another algorithm for guard selection [in 0.3.0.1-alpha] 272 Listed routers should be Valid, Running, and treated as such [in 0.2.9.3-alpha, 0.2.9.4-alpha] + 274 Rotate onion keys less frequently [in 0.3.1.1-alpha] SUPERSEDED: 112 Bring Back Pathlen Coin Weight 113 Simplifying directory authority administration diff --git a/proposals/274-rotate-onion-keys-less.txt b/proposals/274-rotate-onion-keys-less.txt index 7c17873..d3a962a 100644 --- a/proposals/274-rotate-onion-keys-less.txt +++ b/proposals/274-rotate-onion-keys-less.txt @@ -2,7 +2,7 @@ Filename: 274-rotate-onion-keys-less.txt Title: Rotate onion keys less frequently. Author: Nick Mathewson Created: 20-Feb-2017 -Status: Finished +Status: Closed Implemented-In: 0.3.1.1-alpha
1. Overview diff --git a/tor-spec.txt b/tor-spec.txt index fdb8535..f61e98f 100644 --- a/tor-spec.txt +++ b/tor-spec.txt @@ -147,9 +147,10 @@ see tor-design.pdf. - A long-term signing-only "Identity key" used to sign documents and certificates, and used to establish relay identity. - A medium-term TAP "Onion key" used to decrypt onion skins when accepting - circuit extend attempts. (See 5.1.) Old keys MUST be accepted for at - least one week after they are no longer advertised. Because of this, - relays MUST retain old keys for a while after they're rotated. + circuit extend attempts. (See 5.1.) Old keys MUST be accepted for a + while after they are no longer advertised. Because of this, + relays MUST retain old keys for a while after they're rotated. (See + "onion key lifetime parameters" in dir-spec.txt.) - A short-term "Connection key" used to negotiate TLS connections. Tor implementations MAY rotate this key as often as they like, and SHOULD rotate this key at least once a day. @@ -160,7 +161,8 @@ see tor-design.pdf. accepting incoming circuit extend requests. As with TAP onion keys, old ntor keys MUST be accepted for at least one week after they are no longer advertised. Because of this, relays MUST retain old keys for a - while after they're rotated. + while after they're rotated. (See "onion key lifetime parameters" in + dir-spec.txt.)
These are Ed25519 keys: