Proposal 176: Proposed version-3 link handshake for Tor

Nick Mathewson nickm at
Tue Feb 1 02:52:00 UTC 2011

On Mon, Jan 31, 2011 at 9:50 PM, Nick Mathewson <nickm at> wrote:
>   To authenticate the server, the client MUST check the following:
>     * The CERTS cell contains exactly one CertType 1 "Link" certificate.
>     * The CERTS cell contains exactly one CertType 2 "ID"
>       certificate.
>     * Both certificates have validAfter and validUntil dates that
>       are not expired.
>     * The certified key in the Link certificate matches the
>       link key that was used to negotiate the TLS connection.
>     * The certified key in the ID certificate is a 1024-bit RSA key.
>     * The certified key in the ID certificate was used to sign both
>       certificates.
>     * The link certificate is correctly signed with the key in the
>       ID certificate
>     * The ID certificate is correctly self-signed.

Robert Ransom responded to an earlier draft of this proposal,
suggesting that instead of being self-signed, the ID certificate
should be cross-certified by the link key.  He said:

> > Yes.  I'm not exactly sure why I'm suggesting it.
> >
> > When an OpenPGP public key has a subkey which can be used to generate
> > signatures, GPG requires that that subkey sign the main public key, in
> > addition to requiring that the main public key sign the subkey.  The
> > GPG man page states that this prevents some attacks.  I don't know
> > whether the cross-certification I'm asking for above prevents any
> > attacks we care about.

[Posted here with permission]


More information about the tor-dev mailing list