[tor-dev] Proposal 230: How to change RSA1024 relay identity keys

[Nicholas Hopper]

On Tue, Apr 8, 2014 at 2:15 PM, Nicholas Hopper <hopper at cs.umn.edu> wrote:
> To clarify here: does "router[s] descriptors signed by the old
> identity" include the old-id field?  That is, in case an identity key
> is compromised is there a race to claim the old-id mapping?  If not,
> how should the authorities/clients treat a pair of descriptors
> claiming the mapping?

Further thinking about this, I think the right answer should be: if
ANY authority posts two different identities claiming the same old-id,
all history associated with the old id is dropped (i.e. will not be
associated with ANY other identity).  This seems to be the safest
compromise between performance and security:

- if the old id was not compromised, or the adversary chooses not to
claim it, then retaining the identity's history improves performance,
and so the network is better off than before this proposal (when the
history would have been lost).

- if two claims are made for the old id, then that confirms that the
identity was compromised; we have no safe way to judge which new
identity is the "true heir," and so dropping the history leaves the
network in the same state as it would have been without this proposal.

Sorry if this was obvious and I was just too slow to realize it.
-- 
------------------------------------------------------------------------
Nicholas Hopper
Associate Professor, Computer Science & Engineering, University of Minnesota
Visiting Research Director, The Tor Project
------------------------------------------------------------------------