[tor-bugs] #20969 [Core Tor/DocTor]: Detect relays that don't update their onion keys every 7 days.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 14 16:06:48 UTC 2016
#20969: Detect relays that don't update their onion keys every 7 days.
---------------------------------+--------------------
Reporter: dgoulet | Owner: atagar
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Core Tor/DocTor | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
---------------------------------+--------------------
This is related to #20055 which would be an important thing to monitor for
the health and security of the network.
There are multiple things here that can be or should be checked.
The `onion-key` field is an RSA key so DocTor will need to keep a
persistent database of those over time (only used for TAP handshake).
The `ntor-onion-key` field also can be monitored the same as the RSA key.
If the `ntor-onion-key-crosscert` field is present, you'll get a timestamp
for free in the certificate which should have the `exp_field` set to the
last published time + 7 days.
In any case, a router SHOULD NOT have either a TAP or ntor onion key
_more_ than 7 days as this is hardcoded in Tor. If they do, it could be
another implementation but finding them would be good so we can warn/ask
them to fix. Or better, detect bugs as well on tor implementation that
could keep those for a longer time.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20969>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list