120-suicide-descriptors: add revocation and send on restart
goodell at eecs.harvard.edu
Thu Apr 10 20:16:11 UTC 2008
Proposal 120 addresses the need for Tor servers that are no longer
providing relaying services to quickly be removed from lists of Tor
relays (and the blacklists upon which they depend).
The proposal as written makes two critical assumptions:
(1) that a Tor server that wants to be removed from blacklists is still
in possession of the key that it had when it was relaying, and
(2) that a Tor server that wants to be removed from blacklists will shut
down relaying services before its process dies.
We can address (1) via revocation certificates. In particular, we need
the ability for a new server running on the same (address, port) to
revoke a previous server running on (address, port). One challenge is
that this would require some interaction to verify that the new server
is in fact running on the indicated (address, port).
We can address (2) via a new controller command to state that we want to
publish a new descriptor with "reject *:*" and "opt shutdown 1". When a
controller (e.g. Vidalia) wants to shut down relaying, it can send the
new command, which is interpreted to mean both "set ORPort to 0" and
"publish the new descriptor".
More information about the tor-dev