[tor-talk] x.509 for hidden services

grarpamp grarpamp at gmail.com
Mon Oct 28 05:30:00 UTC 2013

On Sun, Oct 27, 2013 at 11:15 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> It also raises the point that perhaps future Tor HS should also
> support delegation
> so that the HS master identity key could be kept offline.  E.g. you
> have a HS identity
> key, and it delegates to a short term HS key which has a lifetime of
> only 1 month,

I think I posted or ticketed along these lines a year or two ago.
The node keys were RSA so there was definitely utility in signing
assertions or encrypting things with them. Problem was
- tor didn't support passphrased keys at startup
- keys were then exposed to the world on a clone box
- they were only 1024 bit... most are moving to 2k/4k now.
- those same node keys were also the top of the chain as
far as tor knew about them. so you couldn't really have an integrated
offline ca/signature/gen scheme in place above them that would
effectively do anything as far as tor cared.
- I didn't actually get to testing keyops with them yet, particularly
to see if a sig/assert [self or other] on a pubkey was possible,
and then would make it to and be preserved by the dirs. The concept
died out largely for former reasons.

> and perhaps has some kind of priority scheme such that a key with a higher
> sequence number takes precedence. E.g. if someone compromises your key you can
> instantly throw up a new service which people will connect to instead...

I think freenet has sequence numbers of some sort.

> If your HS (bastion) host is compromised you wouldn't completely lose
> control of your HS identity.
> Might even be useful to pre-define a maximum sequence number such that
> an announcement with
> that sequence number blocks access.
> So if your site is compromised
> you can announce a pre-signed HS revocation which forever kills the
> address so long as someone keeps periodically rebroadcasting it to

Yes, right now you're screwed. Though I think a downloadable
revocation crl would be better than forcing the former owner
to stay online forever.

> RPs.


>> a standardized OID or is widely supported in X.509 implementations - e.g.,
>> Curve25519.

Thought there was an OID thread on one of the crypto lists this month.
It may have been a joke though, I didn't read it closely.

More information about the tor-talk mailing list