[tor-dev] HS v3 client authorization types

Suphanat Chunhapanya haxx.pop at gmail.com
Mon Apr 30 10:08:37 UTC 2018 

Hi,

On 04/28/2018 06:19 AM, teor wrote:
>> Or should we require the service to enable both for all clients?
>>
>> If you want to let the service be able to enable one while disable the
>> other, do you have any opinion on how to configure the torrc?
> 
> If someone doesn't understand client auth in detail, and just wants
> to be more secure, we should give them a single option that enables
> both kinds of client auth. (Security by default.)
> 
> OnionServiceClientAuthentication 1
> (Default: 0)
> 
> If someone knows they only want a particular client auth method,
> we should give them another option that contains a list of active
> client auth methods. (Describe what you have, not what you don't
> have, because negatives confuse humans.)
> 
> OnionServiceClientAuthenticationMethods intro
> (Default: descriptor, intro)


Do you have any opinion on specifying the client names in your
recommendation? and the list of client names in "descriptor" and "intro"
should be independent.

However, what i am currently think of is that we can use the existing
format.

HiddenServiceAuthorizeClient auth-type client-name,client-name,...

But instead of allowing only two auth-types "descriptor" and "intro", we
allow another type called "default" which includes both "descriptor" and
"intro"

So if I put an option:
HiddenServiceAuthorizeClient default client-name,client-name,...

It will be equivalent to two lines of:
HiddenServiceAuthorizeClient descriptor client-name,client-name,...
HiddenServiceAuthorizeClient intro client-name,client-name,...

And on the client side, if I put an option:
HidServAuth onion-address default x25519-private-key ed25519-private-key

It will be equivalent to two lines of:
HidServAuth onion-address descriptor x25519-private-key
HidServAuth onion-address intro ed25519-private-key


What do you all think?

Cheers,
haxxpop

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20180430/afd102d4/attachment.sig>

More information about the tor-dev mailing list