[tor-bugs] #17349 [Tor]: Create an ed25519 shared randomness key for dirauths

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 14 12:25:23 UTC 2015 

#17349: Create an ed25519 shared randomness key for dirauths
--------------------+------------------------------------
 Reporter:  asn     |          Owner:
     Type:  defect  |         Status:  new
 Priority:  Medium  |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor     |        Version:
 Severity:  Normal  |     Resolution:
 Keywords:          |  Actual Points:
Parent ID:  #16943  |         Points:
  Sponsor:          |
--------------------+------------------------------------

Comment (by nickm):

 a) This one.

 RSA authority signing key ==> ed25519 master identity key -> ed25519
 signing key ==> ed25519 SR key

 The only missing parts here are the ones I've done as "==>".  The first
 means that authorities should affirm their ed25519 identities.

 b) They could go in the certificate, but I'm not 100% sure they have to.
 Certificates do not currently include the RSA OR identity key.  I think
 that putting them in the voter-info block would make more sense.  (The one
 that goes {{{
 dir-source dannenberg 585769C78764D58426B8B52B6651A5A71137189A
 dannenberg.torauth.de 193.23.244.244 80 443
 contact Andreas Lehner <ops at torauth.de>
 vote-digest FB581F58EFCA26CD61323CE2E2082542960AA405
 }}})

 Votes are signed by the RSA authority signing key, so this would
 authenticate the ed25519 master identity key using that.

 c) not necessarily; only if they go into the dir-key-certificate thing.

 d) This really isn't a lot of work.  The rest of the chain is already
 there.  It's just adding another signed key.


 e)
 >Also, it's worth mentioning that dirauths are relays by default, and
 hence they have ed25519 keys as relays. Those keys should also be included
 in their votes, so other dirauths should be able to get them.
 >Could we use those keys for prop250? And would we use those keys as they
 are, or would we need to generate a subkey for SR purposes?

 Yes, these are the keys I'm talking about.  The master ed25519 identity
 key as a relay can already be kept offline and has similar security
 properties to the master RSA authority key.  I'm saying that the master
 ed25519 identity key, as used by relays, should be certified by the RSA
 certificate chain.

 We _do_ want to make a new key for this case, though.  We are trying hard
 to avoid multipurpose signing keys.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17349#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list