[tor-talk] Improved HS key management

[Gregory Maxwell]

One of the current unfortunate properties of hidden services is that
the identity of the hidden service is its public key (or the
equivalent hash, in the current setup), and this key must always be
available for signing on an online host (usually the HS itself, though
potentially on a bastion host).

This is pretty bad for prudent key management— the key is very high
value because its difficult to change, and then stuck always online
constantly being signed with— even on demand by a hostile attacker.

Then the matter is made even worse by there being no systematized
mechanism for revocation.

It would be preferable if it were possible to have a HS master key
which was kept _offline_ which could be use to authorize use for some
time period and/or revoke usage. The offline key could be used to
create an online key which is good for a year or until superseded by a
higher sequence number, and every 6 months the online key could be
replaced. Thus if an old copy of the HS media were discovered it
couldn't be used to impersonate the site.

Sadly the homomorphism proposed to prevent HSDIR enumeration attacks
cannot be used to accomplish this, as knoweldge of the ephemeral
private key and the public blinding factor yields the original private
key.

I can describe a scheme to address this but I'm surprised to not find
any discussion of it.