Thandy attacks / suggestions

Roger Dingledine arma at
Mon Dec 8 19:48:09 UTC 2008

On Sun, Dec 07, 2008 at 08:14:42PM -0500, Roger Dingledine wrote:
> A2) Add another layer of indirection, so there's a timestampsigning key
> that signs the timestamp key. That timestampsigning key is listed in
> the key file, and it's kept offline. Whoever controls it still generates
> a new timestamp every month, but now all the master keys don't need to
> be bothered.

It occurs to me that an easier variation of this is to keep the
timestamp key on a very secure computer that's separate from the main
repository. Then it generates a new timestamp file periodically and
scp's it over to the main repository.

That way the timestamp key doesn't have to be stored on the same computer
that runs a big complex webserver.

In this day and age of "run a different VM for each task", that's not a
crazy notion.


More information about the tor-dev mailing list