(2) Rotate to fresh identity keys for moria1, the directory authority that I run. In early November 2022 there was a remote break-in to the computer running moria1. Based on the evidence and the type of attack, I believe it was a standard automated attack -- that is, I think they weren't targeting the directory authority and also they never realized it *was* a directory authority. But to be extra safe, we decided to rotate to a fresh set of keys. I was also in the middle of a planned move to better hardware, so overall it was good timing for a fresh new start.
Thanks for sharing. I'm curious about the suspected standard automated attack, can you share any details about it? Was it against the directory server code or against another service?
- Directory authority keys already have a notion of an offline long-term
identity with shorter-lifetime online keys that expire periodically, with the goal of limiting the future impact of a compromise. But it seems like this role separation never quite matches up well to the security issues that arise in practice, whereas it definitely adds complexity both to the design and to operation. This piece of the design could use some new ideas.
I'd like to learn more about these security issues in practice. I can imagine physical security is a big part of it. Do you maybe have some specific pointers for me to look for?