[tor-bugs] #17349 [Tor]: Create an ed25519 shared randomness key for dirauths
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 14 12:11:04 UTC 2015
#17349: Create an ed25519 shared randomness key for dirauths
------------------------+--------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID: #16943
Points: | Sponsor:
------------------------+--------------------------------
In proposal250, dirauths sign their commitments. We assume an ed25519 key
is going to be used for signatures, both for signature length and for
security. Unfortunately, there is currently no ed25519 key that
authorities use.
I talked to Nick about this and he suggested that a new key will need to
be created especially for this reason. IIUC this new SR key will need to
be chain-certified down to the RSA signing key, since we still use RSA
keys as the long-term identity of dirauths.
A few questions here:
a) What's the key hierarchy we are aiming for here?
Is it:
RSA signing key -> ed25519 identity key -> ed25519 signing key ->
ed25519 SR key
or
RSA signing key -> ed25519 signing key -> ed25519 SR key
or
RSA signing key -> ed25519 SR key
We discussed this in IRC the other day, but my box crashed and I lost
backlog :(
Could you please remind me what's the best option here?
b) Where should these new long-term ed25519 keys be listed? Should they be
part of the `dir-key-certificate-version` block in the votes?
c) How should they be generated? It should be part of `tor-gencert` right?
Sebastian pointed out that dirauths firing up `tor-gencert` in their
offline machines is not an easy task and costs them lots of money and
time. So we should make sure that this procedure works for them well.
What is the procedure for generating new keys with `tor-gencert`? I would
like to understand this, since Sebastian suggested we should prepare the
`tor-gencert` patch well in advance, and send an email to dirauth
operators so that they have time to run it and be all set by the time the
shared randomness patch hits Tor.
If we do so, then in the shared randomness code we can assume that the
keys are already generated. If they are not, we should complain to the
dirauth operator and ask them to run the `tor-gencert` command. However,
it should also be possible for a dirauth operator that doesn't have the
right ed25519 keys to work as a dirauth but not participate in the SR
protocol.
d) This seems like lots of work! Is there a less demanding way out? For
example, would it be super stupid to just sign the ed25519 SR key with the
long-term RSA signing key?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17349>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list