[tor-bugs] #11119 [Tor]: Write a proposal for client-side key pinning
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Aug 18 15:37:30 UTC 2014
#11119: Write a proposal for client-side key pinning
-------------------------+-------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: needs_information
Priority: normal | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-client needs-proposal
Actual Points: | 026-triaged-1
Points: | Parent ID:
-------------------------+-------------------------------------------------
Changes (by nickm):
* status: new => needs_information
Comment:
I started writing up a proposal draft here, but I'm not currently seeing
the point of it. If a client has a correct consensus, it should get the
correct RSA1024<->Ed25519 mappings unless the authorities are lying. But
if the authorities are lying, they can poison the clients in lots of other
ways too.
Similarly, for stuff like bridges, we can export the ed25519 key in the
bridge line, and we don't need to remember the RSA1024 key at all. That's
probably a better idea than pinning in the first place, right?
For guards, we should remember every public key we've seen for the guard,
and only connect if all the keys are good.
So, what's the value here? What's the threat model it helps for?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11119#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list