Razvan Dragomirescu:
Ivan, if I understand https://onionbalance.readthedocs.org/en/latest/design.html#next-generation-o... correctly, the setup I've planned will no longer work once Tor switches to the next generation hidden services architecture, is this correct? Will there be any backwards compatibility or will old hidden services simply stop working at that point?
No, actually the setup will work. But it will not work until the code base (of the OB) is changed*. For now one can sign arbitrary set of IPs with their key (you can test it with e.g. Facebook HS) and this descriptor will be valid [1]. Cross-certifications are just a mechanism of hardening this process. In order to make frontend descriptor valid backend instances must "be aware" of the frontend. So backend nodes are certifying public key of frontend and then they can be included into a frontend descriptor. [using OB terminology]
[*] Also there is still only RSA crypto in the OB.
[1] https://trac.torproject.org/projects/tor/ticket/15951