On Tue, Apr 8, 2014 at 2:15 PM, Nicholas Hopper hopper@cs.umn.edu wrote:
To clarify here: does "router[s] descriptors signed by the old identity" include the old-id field? That is, in case an identity key is compromised is there a race to claim the old-id mapping? If not, how should the authorities/clients treat a pair of descriptors claiming the mapping?
Further thinking about this, I think the right answer should be: if ANY authority posts two different identities claiming the same old-id, all history associated with the old id is dropped (i.e. will not be associated with ANY other identity). This seems to be the safest compromise between performance and security:
- if the old id was not compromised, or the adversary chooses not to claim it, then retaining the identity's history improves performance, and so the network is better off than before this proposal (when the history would have been lost).
- if two claims are made for the old id, then that confirms that the identity was compromised; we have no safe way to judge which new identity is the "true heir," and so dropping the history leaves the network in the same state as it would have been without this proposal.
Sorry if this was obvious and I was just too slow to realize it.