[tor-dev] Proposition: Applying an AONT to Prop224 addresses?

Ian Goldberg iang at cs.uwaterloo.ca
Mon Apr 3 15:59:12 UTC 2017

On Mon, Apr 03, 2017 at 04:40:52PM +0100, Alec Muffett wrote:
> On 3 Apr 2017 3:48 p.m., "Ian Goldberg" <iang at cs.uwaterloo.ca> wrote:
> The other thing to remember is that didn't we already say that
> facebookgbiyeqv3ebtjnlntwyvjoa2n7rvpnnaryd4a.onion
> and
> face-book-gbiy-eqv3-ebtj-nlnt-wyvj-oa2n-7rvp-nnar-yd4a.onion
> will mean the same thing?  So we're already past the "one (st)ring to
> rule them all" point?
> That's a great point, and I'm definitely interested and in favour of
> readability.
> How about this, though: I know that Tor doesn't want to be in the business
> of site reputation, but what if (eg) Protonmail offers a Onion "Safe
> Browsing" extension some day, of known-bad Onions for malware reasons?

That's a quite good motivating example, thanks!

> There's quite a gulf between stripping hyphens from a candidate onion
> address and doing strcmp(), versus either drilling into the candidate
> address to compute the alternative forms to check against the blacklist, or
> even requiring the blacklist to be 8x larger?

Yes, that's true.  I'm definitely in favour of the "multiply by L (the
order of the group) and check that you get the identity element; error
with 'malformed address' if you don't" to get rid of the torsion point

If the daily descriptor uploaded to the point
Hash(onionaddr, dailyrand) contained Hash(onionaddr, dailyrand) *in* it
(and is signed by the master onion privkey, of course), then tor
could/should check that it reached that location through the "right"
onion address.

I'm afraid the details of what's in that daily descriptor are not in my
brain at the moment.  Does it contain its own (daily blinded) name under
the signature?

   - Ian

More information about the tor-dev mailing list