[tor-bugs] #16580 [Tor]: Reload keypins on SIGHUP? Or provide some other way to undo a single keypin?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 14 13:57:47 UTC 2015
#16580: Reload keypins on SIGHUP? Or provide some other way to undo a single
keypin?
--------------------------+--------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version:
Resolution: | Keywords:
Actual Points: | Parent ID: #16530
Points: |
--------------------------+--------------------------------
Description changed by nickm:
Old description:
> Right now, there isn't a way to undo a buggy key-pin without stopping the
> authority, editing the keypin file, and restarting it. Not good:
> authority operators shouldn't have to reboot just because we had a bug.
>
> We should fix this before we release 0.2.7.2-alpha.
>
> I see ~~two~~four options here.
>
> 1. Make it okay to edit the key-pinning journal on a running Tor. That's
> not so great; we need to be able to append to it, and editors may have
> swap-file races with it.
> 2. Add a torrc option to unpin an existing key. This would only need to
> be stuck into the torrc once; it would remove the pin, and allow a new
> key pin to occur.
> 3. No fix; hope that this situation never happens again; tell the
> authoritiy ops to edit the keypinning file when they upgrade, or give
> them a script to do it.
> 4. One-off fix: undo the pin in software for the two specific keypairs
> affected, and hope this never happens again.
New description:
Right now, there isn't a way to undo a buggy key-pin without stopping the
authority, editing the keypin file, and restarting it. Not good:
authority operators shouldn't have to reboot just because we had a bug.
We should fix this before we release 0.2.7.2-alpha.
I see ~~two~~ ~~four~~ six options here.
1. Make it okay to edit the key-pinning journal on a running Tor. That's
not so great; we need to be able to append to it, and editors may have
swap-file races with it.
2. Add a torrc option to unpin an existing key. This would only need to
be stuck into the torrc once; it would remove the pin, and allow a new key
pin to occur.
3. No fix; hope that this situation never happens again; tell the
authoritiy ops to edit the keypinning file when they upgrade, or give them
a script to do it.
4. One-off fix: undo the pin in software for the two specific keypairs
affected, and hope this never happens again.
5. As 3, but tell the ops to remove the file.
6. As 5, but have Tor use a new file name, and remove the old one it
exists, so that the ops don't have to do anything at all.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16580#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list