[tor-bugs] #5565 [Tor Relay]: MyFamily should provide an alternate non-idhex subscription mechanism
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Apr 4 06:22:16 UTC 2012
#5565: MyFamily should provide an alternate non-idhex subscription mechanism
-------------------------+--------------------------------------------------
Reporter: mikeperry | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Tor: 0.2.4.x-final
Component: Tor Relay | Version:
Keywords: | Parent: #5563
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by rransom):
If you're worried about a relay's host obtaining a relay's secret keys,
you can't rely on storing a relay family's secret key in its torrc or
DataDirectory.
Should we worry about an attacker who compromises a relay's identity key
being able to claim to be in that relay's families forever? If not, then
an operator can generate a family-membership signature once per relay, put
it in the relay's torrc, and have the relay put that signature in its
descriptors (thereby cross-certifying it with the relay's identity key).
If we do worry about that replay attack, things get messier; a relay's
operator will need to generate family-membership signatures once per
$INTERVAL per relay, and then upload them to the relay periodically. (In
this case, I wouldn't recommend putting the signature itself in the torrc;
reference a separate file instead.)
Or should we just drop the MyFamily feature entirely, on the assumption
that only good guys try to use it in a non-malicious way?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5565#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list