[tor-relays] T-shirts and Confirming Relay Control

Matthew Finkel matthew.finkel at gmail.com
Mon May 4 05:35:09 UTC 2015

On Sun, May 03, 2015 at 03:31:01PM -0700, Tom van der Woerdt wrote:
> Matthew Finkel schreef op 03/05/15 om 14:47:
> >On Sun, May 03, 2015 at 08:20:54PM +0000, Matthew Finkel wrote:
> >>On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote:
> >>>On Sun, 3 May 2015, Matthew Finkel wrote:
> >>>
> >>>>Assuming the path to their data dir is /var/lib/tor, we ask them to run:
> >>>
> >>>Please don't get in the habit of asking relay operators through e-mail to
> >>>run complex bash command lines as root.  As a security practice, this is
> >>>terrible.  (How do you know the suggested command wasn't altered before it
> >>>reached its recipient?)
> >>
> >>Yes, this is terrible, and I really hate the idea of asking it. I signed
> >>all my emails for the t-shirt requests, but now we're relying on
> >>everyone fetching my key and verifying the mail - so, that's also a bad
> >>assumption. I don't have a good solution. This is why I'm asking.
> >>
> >
> >What if we add the commands to the t-shirt[0] website? Again, this isn't
> >a great solution, but we already have documentation which requires
> >running commands with elevated privileges on there, and it's slightly
> >better than sending it in an email. These commands are still more
> >complex than I'd like, but if beside providing an executable or
> >verifiable shell script, I'm running low on solutions.
> >
> >[0] https://www.torproject.org/getinvolved/tshirt
> >
> >Thanks,
> >Matt
> Hi Matt,
> How about :
>  * Primarily using ContactInfo for the verification
>  * If you cannot match the ContactInfo, ask people to set it on their relays

Sounds good.

>  * If they are unwilling/unable to do so, ask them to sign their mail
> address using their secret Tor key

How? For the short-term, do you think asking the operator to run the
proposed command is not a crazy idea?

>  * Implement a --sign option for Tor 0.2.7
>  * Starting a year from now, just ask everyone to sign the request

We'd need more than a year for this, likely four years, at the earliest
because Jessie only has 0.2.6.

> Proving ownership of a Tor relay can be relevant for more applications than
> just Weather, so a simple --sign option can be good to have. That doesn't
> address the immediate concerns though, it's more of a long-term solution.

I think this may be a good idea, especially if CAs being issuing certs
for onion sites. Implementing it will not be too difficult,
unfortunately its usability may be a little tricky.

More information about the tor-relays mailing list