commit 300d66200e6778baba68c12cea03a7e8d8dc7076 Author: Alexander Færøy ahf@torproject.org Date: Wed Mar 13 15:50:47 2019 +0100

Proposal 301: Don't include package fingerprints in consensus documents --- proposals/000-index.txt | 2 + .../301-dont-vote-on-package-fingerprints.txt | 73 ++++++++++++++++++++++ 2 files changed, 75 insertions(+)

diff --git a/proposals/000-index.txt b/proposals/000-index.txt index 7cc5806..36cfe4b 100644 --- a/proposals/000-index.txt +++ b/proposals/000-index.txt @@ -221,6 +221,7 @@ Proposals by number: 298 Putting family lines in canonical form [CLOSED] 299 Preferring IPv4 or IPv6 based on IP Version Failure Count [OPEN] 300 Walking Onions: Scaling and Saving Bandwidth [DRAFT] +301 Don't include package fingerprints in consensus documents [OPEN]

Proposals by status: @@ -253,6 +254,7 @@ Proposals by status: 295 Using ADL for relay cryptography (solving the crypto-tagging attack) 296 Have Directory Authorities expose raw bandwidth list files 299 Preferring IPv4 or IPv6 based on IP Version Failure Count + 301 Don't include package fingerprints in consensus documents ACCEPTED: 188 Bridge Guards and other anti-enumeration defenses 249 Allow CREATE cells with >505 bytes of handshake data diff --git a/proposals/301-dont-vote-on-package-fingerprints.txt b/proposals/301-dont-vote-on-package-fingerprints.txt new file mode 100644 index 0000000..8e8b63a --- /dev/null +++ b/proposals/301-dont-vote-on-package-fingerprints.txt @@ -0,0 +1,73 @@ +Filename: 301-dont-vote-on-package-fingerprints.txt +Title: Don't include package fingerprints in consensus documents +Author: Iain R. Learmonth +Created: 2019-02-21 +Status: Open +Ticket: #28465 + +0. Abstract + + I propose modifying the Tor consensus document to remove + digests of the latest versions of package files. These "package" + lines were never used by any directory authority and so add + additional complexity to the consensus voting mechanisms while + adding no additional value. + +1. Introduction + + In proposal 227 [1], to improve the integrity and security of + updates, a way to authenticate the latest versions of core Tor + software through the consensus was described. By listing a location + with this information for each version of each package, we can + augment the update process of Tor software to authenticate the + packages it downloads through the Tor consensus. This was + implemented in tor 0.2.6.3-alpha. + + When looking at modernising our network archive recently [2], I + came across this line for votes and consensuses. If packages are + referenced by the consensus then ideally we should archive those + packages just as we archive referenced descriptors. However, this + line was never present in any vote archived. + +2. Proposal + + We deprecate the "package" line in the specification for votes. + + Directory authorities stop voting for "package" lines in their + votes. Changes to votes do not require a new consensus method, so + this part of the proposal can be implemented separately. + + We allocate a consensus method when this proposal is implemented. + Let's call it consensus method N. + + Authorities will continue computing consensus package lines in the + consensus if the consensus method is between 19 and (N-1). If the + consensus method is N or later, they omit these lines. + +3. Security Considerations + + This proposal removes a feature that could be used for improved + security but currently isn't. As such it is extra code in the + codebase that may have unknown bugs or lead to bugs in the future + due to unexpected interactions. Overall this should be a good + thing for security of Core Tor. + +4. Compatability Considerations + + A new consensus method is required for this proposal. The + "package" line was always optional and so no client should be + depending on it. There are no known consumers of the "package" + lines (there are none to consume anyway). + +A. References + + [1] Nick Mathewson, Mike Perry. "Include package fingerprints in + consensus documents". Tor Proposal 227, February 2014. + [2] Iain Learmonth, Karsten Loesing. "Towards modernising data + collection and archive for the Tor network". Technical Report + 2018-12-001, December 2018. + +B. Acknowledgements + + Thanks to teor and Nick Mathewson for their comments and + suggestions on this proposal.