This is an automated email from the git hooks/post-receive script.
nickm pushed a change to branch main in repository torspec.
from b29e64e proof-reading on prop 266 new 674befc add hashed-bridge-rsa-fingerprint.txt new 7e505e6 add info on where to find hashed bridge fingerprin new a5a8899 Merge remote-tracking branch 'tor-gitlab/mr/72'
The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
Summary of changes: proposals/326-tor-relay-well-known-uri-rfc8615.md | 51 ++++++++++++++++------- 1 file changed, 37 insertions(+), 14 deletions(-)
This is an automated email from the git hooks/post-receive script.
nickm pushed a commit to branch main in repository torspec.
commit 674befc327f8ff0d66cd16fd3a4f7da0229db708 Author: nusenu 360-nusenu@gitlab.torproject.org AuthorDate: Sun May 29 10:07:50 2022 +0000
add hashed-bridge-rsa-fingerprint.txt
since contactinfo for bridges is also public now, we add support for bridges --- proposals/326-tor-relay-well-known-uri-rfc8615.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
diff --git a/proposals/326-tor-relay-well-known-uri-rfc8615.md b/proposals/326-tor-relay-well-known-uri-rfc8615.md index 4f13835..35bb942 100644 --- a/proposals/326-tor-relay-well-known-uri-rfc8615.md +++ b/proposals/326-tor-relay-well-known-uri-rfc8615.md @@ -73,6 +73,25 @@ bHzOT41w56KHh+w6TYwUhN4KrGwPWQWJX04/+tw/+RU
The base64 encoded ed25519 public master key can be found in the file named "fingerprint-ed25519" located in the Tor data directory on the relay.
+## /.well-known/tor-relay/hashed-bridge-rsa-fingerprint.txt + +* The file contains one or more SHA1 hashed Tor bridge SHA1 fingerprints operated by the entity in control of this website. +* Each line contains one hashed fingerprint. +* The file may contain comments (starting with #). +* Non-comment lines must be exactly 40 characters long and consist of the following characters [a-fA-F0-9]. +* Hashed fingerprints are not case-sensitive. +* Each hashed fingerprint MUST appear at most once. +* The file MUST not be larger than one MByte. +* The file MUST NOT contain fingerprints of Tor relays. +* The content MUST be a media type of "text/plain". + +Example file content: + +``` +# we operate these Tor bridges +1234567890123456789012345678901234567ABC +4234567890123456789012345678901234567890 +```
# Change Controller
This is an automated email from the git hooks/post-receive script.
nickm pushed a commit to branch main in repository torspec.
commit 7e505e651695122fd46404643ca9ea149bbfbb13 Author: nusenu 360-nusenu@gitlab.torproject.org AuthorDate: Wed Jun 1 18:04:52 2022 +0000
add info on where to find hashed bridge fingerprin
as suggested by meskio
make clear that the ed25519 file is not relevant for bridges --- proposals/326-tor-relay-well-known-uri-rfc8615.md | 34 +++++++++++++---------- 1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/proposals/326-tor-relay-well-known-uri-rfc8615.md b/proposals/326-tor-relay-well-known-uri-rfc8615.md index 35bb942..2f820ea 100644 --- a/proposals/326-tor-relay-well-known-uri-rfc8615.md +++ b/proposals/326-tor-relay-well-known-uri-rfc8615.md @@ -10,22 +10,23 @@ Status: Open
This is a specification for a well-known [registry](https://www.iana.org/assignments/well-known-uris/) entry according to [RFC8615](https://tools.ietf.org/html/rfc8615).
-This resource identifier can be used for serving and finding proofs related to [Tor](https://www.torproject.org/) relay contact information. -It can also be used for autodiscovery of Tor relays run by a given entity, if the entity domain is known. -It solves the issue that Tor relay contact information is an unidirectional and unverified claim by nature. +This resource identifier can be used for serving and finding proofs related to [Tor](https://www.torproject.org/) relay and bridge contact information. +It can also be used for autodiscovery of Tor relays run by a given entity, if the entity's domain is known. +It solves the issue that Tor relay/bridge contact information is an unidirectional and unverified claim by nature. This well-known URI aims to allow the verification of the unidirectional claim. -It aims to reduce the risk of impersonation attacks, where a Tor relay claims to be operated by a certain entity, but actually isn't. -The automated verification will also support the [visualization of relay groups](https://gitlab.torproject.org/tpo/metrics/relay-search/-/issues/40001). +It aims to reduce the risk of impersonation attacks, where a Tor relay/bridge claims to be operated by a certain entity, but actually isn't. +The automated verification will also support the [visualization of relay/bridge groups](https://gitlab.torproject.org/tpo/metrics/relay-search/-/issues/40001).
-* An initially (unverified) Tor relay contact information might claim to be related to an -organization by pointing to its website: Tor relay contact information field -> website -* The "tor-relay" URI allows for the verification of that claim by fetching the files containing Tor relay ID(s) under the specified URI, -because attackers can not easily place these files at the given location. +* An initially (unverified) Tor relay or bridge contact information might claim to be related to an +organization by pointing to its website: Tor relay/bridge contact information field -> website +* The "tor-relay" URI allows for the verification of that claim by fetching the files containing Tor relay ID(s) or hashed bridge fingerprints +under the specified URI, because attackers can not easily place these files at the given location.
-* By publishing Tor relay IDs under this URI the website operator claims to be the responsible entity for these Tor relays. -The verification of listed Tor relay IDs only succeeds if the claim can be verified bidirectionally (website -> relay and relay -> website). +* By publishing Tor relay IDs or hashed bridge IDs under this URI the website operator claims to be the responsible entity for these Tor relays/bridges. +The verification of listed Tor relay/bridge IDs only succeeds if the claim can be verified bidirectionally +(website -> relay/bridge and relay/bridge -> website).
-* This URI is not related to Tor bridges or Tor onion services. +* This URI is not related to Tor onion services.
* The URL MUST be HTTPS and use a valid TLS certificate from a generally trusted root CA. Plain HTTP MUST not be used.
@@ -34,13 +35,13 @@ The verification of listed Tor relay IDs only succeeds if the claim can be verif ## /.well-known/tor-relay/rsa-fingerprint.txt
* The file contains one or more Tor relay RSA SHA1 fingerprints operated by the entity in control of this website. -* Each line contains one fingerprint. +* Each line contains one relay fingerprint. +* The file MUST NOT contain fingerprints of Tor bridges (or hashes of bridge fingerprints). For bridges see the file `hashed-bridge-rsa-fingerprint.txt`. * The file may contain comments (starting with #). * Non-comment lines must be exactly 40 characters long and consist of the following characters [a-fA-F0-9]. * Fingerprints are not case-sensitive. * Each fingerprint MUST appear at most once. * The file MUST not be larger than one MByte. -* The file MUST NOT contain fingerprints of Tor bridges (or hashes of bridge fingerprints). * The content MUST be a media type of "text/plain".
Example file content: @@ -55,6 +56,7 @@ The RSA SHA1 relay fingerprint can be found in the file named "fingerprint" loca ## /.well-known/tor-relay/ed25519-master-pubkey.txt
* The file contains one or more ed25519 Tor relay public master keys of relays operated by the entity in control of this website. +* This file is not relevant for bridges. * Each line contains one public ed25519 master key in its base64 encoded form. * The file may contain comments (starting with #). * Non-comment lines must be exactly 43 characters long and consist of the following characters [a-zA-z0-9/+]. @@ -76,7 +78,7 @@ The base64 encoded ed25519 public master key can be found in the file named "fin ## /.well-known/tor-relay/hashed-bridge-rsa-fingerprint.txt
* The file contains one or more SHA1 hashed Tor bridge SHA1 fingerprints operated by the entity in control of this website. -* Each line contains one hashed fingerprint. +* Each line contains one hashed bridge fingerprint. * The file may contain comments (starting with #). * Non-comment lines must be exactly 40 characters long and consist of the following characters [a-fA-F0-9]. * Hashed fingerprints are not case-sensitive. @@ -93,6 +95,8 @@ Example file content: 4234567890123456789012345678901234567890 ```
+The hashed Tor bridge fingerprint can be found in the file named "hashed-fingerprint" located in the Tor data directory on the bridge. + # Change Controller
Tor Project Development Mailing List tor-dev@lists.torproject.org
This is an automated email from the git hooks/post-receive script.
nickm pushed a commit to branch main in repository torspec.
commit a5a88998989ec1123d07cf12f204f78ae0db9750 Merge: b29e64e 7e505e6 Author: Nick Mathewson nickm@torproject.org AuthorDate: Fri Jun 10 10:21:27 2022 -0400
Merge remote-tracking branch 'tor-gitlab/mr/72'
proposals/326-tor-relay-well-known-uri-rfc8615.md | 51 ++++++++++++++++------- 1 file changed, 37 insertions(+), 14 deletions(-)
tor-commits@lists.torproject.org
-
gitolite role