[tor-relays] [Looking for feedback] An easier way to declare families

nusenu nusenu-lists at riseup.net
Sat Nov 6 16:29:42 UTC 2021 

It is a nice surprise to see activity in this area of
tor, thank you for working on this.

> Option 3 requires regular updates to all the relays in the family,
> which makes it cumbersome.  Its advantage is that if a relay is
> compromised, you don't need to re-key the family.
> 
> Options 1 and 2 are less secure, since you have to re-key your whole
> family if the key is ever compromised.  But they have the advantage
> that they don't take any maintenance in the regular case.
> 
> Option 1 is a little more convenient than option 2, since you can
> use any old random file.  But that makes it more error prone: if
> somebody chooses an insecure password as their random file, an
> attacker could guess it and become a family member.

I believe from an operational point of view option 1 and 2 are practically
identical since most will simply use the provided tor parameter to generate the secret/key.
To prevent weak random file tor could refuse to use files that are shorter than N.

> If all three of these options were available, which of these would
> you choose?  Is there anything else that we could do to make this
> system simpler or easier to use?
> 
> If I'm left to my own devices, I will probably just implement option
> 2 for now, but leave the door open for option 3 in the future.

I was about to suggest to implement option 2 and 3, so it is great to see
you are considering both options. This also matches the current possibilities
with OfflineMasterKey 0|1.

I believe both options make sence because there are small and large families which have different levels of
maturity in their tooling and operations (and different levels of risk).
Smaller operators might do everything manually and are happy to use option 2,
bigger probably use some form of configuration management like ansible and offlinemasterkeys
already, so option 3 would basically come at no additional cost for them because they can renew
family certs when they update the other certs in one go. The family certs should support the same
ranges as torrc's SigningKeyLifetime.

Since I maintain an ansible tor role that is used by many of the largest families:
I'll certainly integrate option 3 in relayor. When compared with option 0 (current MyFamily design)
option 2 has weaker properties so I would stay on option 0 until option 3 becomes available.

kind regards,
nusenu

-- 
https://nusenu.github.io

More information about the tor-relays mailing list