[tor-commits] [torspec/master] Add 240, tweak 227

[nickm at torproject.org]

commit 3c0422acc464a9da74bc35d3027ae966bf59d8d0
Author: Nick Mathewson <nickm at torproject.org>
Date:   Sat Jan 10 15:45:59 2015 -0500

    Add 240, tweak 227
---
 proposals/000-index.txt                        |    2 +
 proposals/227-vote-on-package-fingerprints.txt |    5 +--
 proposals/240-auth-cert-revocation.txt         |   48 ++++++++++++++++++++++++
 3 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/proposals/000-index.txt b/proposals/000-index.txt
index 9af0405..b8d4490 100644
--- a/proposals/000-index.txt
+++ b/proposals/000-index.txt
@@ -160,6 +160,7 @@ Proposals by number:
 237  All relays are directory servers [OPEN]
 238  Better hidden service stats from Tor relays [DRAFT]
 239  Consensus Hash Chaining [DRAFT]
+240  Early signing key revocation for directory authorities [DRAFT]
 
 
 Proposals by status:
@@ -184,6 +185,7 @@ Proposals by status:
    235  Stop assigning (and eventually supporting) the Named flag [for 0.2.5]
    238  Better hidden service stats from Tor relays
    239  Consensus Hash Chaining
+   240  Early signing key revocation for directory authorities
  NEEDS-REVISION:
    131  Help users to verify they are using Tor
    190  Bridge Client Authorization Based on a Shared Secret
diff --git a/proposals/227-vote-on-package-fingerprints.txt b/proposals/227-vote-on-package-fingerprints.txt
index d82f76c..83ac3da 100644
--- a/proposals/227-vote-on-package-fingerprints.txt
+++ b/proposals/227-vote-on-package-fingerprints.txt
@@ -31,12 +31,11 @@ Status: Open
       VERSION = NONSPACE
       URL = NONSPACE
       DIGESTS = DIGEST | DIGESTS SP DIGEST
-      DIGEST = DIGESTTYPE "=" BASE64
+      DIGEST = DIGESTTYPE "=" DIGESTVAL
 
       NONSPACE = one or more non-space printing characters
 
-      BASE64 = one or more base-64 characters, with trailing =s
-               removed.
+      DIGESTVAL = any number of non-=, non-" " characters.
 
       SP = " "
       NL = a newline
diff --git a/proposals/240-auth-cert-revocation.txt b/proposals/240-auth-cert-revocation.txt
new file mode 100644
index 0000000..fa426ca
--- /dev/null
+++ b/proposals/240-auth-cert-revocation.txt
@@ -0,0 +1,48 @@
+Filename: 240-auth-cert-revocation.txt
+Title: Early signing key revocation for directory authorities.
+Author: Nick Mathewson
+Created: 09-Jan-2015
+Status: Draft
+
+1. Overview
+
+   This proposal describes a simple way for directory authorities to
+   perform signing key revocation.
+
+2. Specification
+
+   We add the following lines to the authority signing certificate
+   format:
+
+     revoked-signing-key SP algname SP FINGERPRINT NL
+
+   This line may appear zero or more times.
+
+   It indicates that a particular not-yet-expired signing key should not
+   be used.
+
+3. Client and cache operation
+
+   No client or cache should retain, use, or serve any certificate whose
+   signing key is described in a revoked-signing-key line in a
+   certificate with the same authority identity key.  (If the signing
+   key fingerprint appears in a cert with a different identity key, it
+   has no effect: you aren't allowed to revoke other people's keys.)
+
+   No Tor instance should download a certificate whose signing
+   key,identity key combination is known to be revoked.
+
+4. Authority operator interface.
+
+   The 'tor-gencert' command will take a number of older certificates to
+   revoke as optional command-line arguments.  It will include their
+   keys in revoked-signing-key lines only if they are still valid, or
+   have been expired for no more than a month.
+
+5. Circular revocation
+
+   My first attempt at writing a proposal here included a lengthy
+   section about how to handle cases where certificate A revokes the key
+   of certificate B, and certificate B revokes the key of certificate A.
+
+   Instead, I am inclined to say that this is a MUST NOT.